[WARNING] Philippe Tromeur, avis de virus. from Gilles d'Argyres on 2001-07-16 (Glorantha

Auteur: Gilles d'Argyres <thalsion_at_...>
Date: Mon, 16 Jul 2001 21:12:18 -0000

Salut a tous !

Je viens personnellement de constater l'envoi aleatoire d'un virus qui s'auto-transmet par execution de fichier attache en commandant au systeme son propre envoi aux adresses emails stockees dans le logiciel de courrier electronique de l'hote (Outlook la plupart du temps). (ouf ! Vous avez compris ?)

Philippe (Tromeur), tu as probablement deja recu un petit email de ma part (au benefice du doute) disant que je ne voulais plus d'envoi de ta part, n'en tient plus compte. Le virus agit a ton insue (voir la fiche detaillee en PS, je sais que tu lis l'anglais).

J'ai recu directement dans ma boite en provenance de philippe.tromeur_at_
wanadoo.fr
un email tres suspect certainement (je l'ai verifie) d'origine automatique.
Pour moi le sujet etait :
!"#$

Il n'y avait aucun texte, et juste un fichier attache : REGSVR32.EXE (83k)

Voici ce qu'Hotmail/McAfee m'en a dit :

Hotmail analyse automatiquement toutes les pièces jointes pour détecter d'éventuels virus en utilisant McAfee.

Nom du fichier Résultats du Virus Scan
REGSVR32.EXE W32/Magistr_at_MM Virus détecté

Comme il s'agit d'informations distantes, mon ordinateur est totalement hors de cause.
Ce n'est pas une rumeur, toute membre de la ML est potentiellement concerne.

NE PAS RETRANSMETTRE CE MESSAGE A D'AUTRES SI VOUS N'ETES PAS PHILIPPE TROMEUR.
Les commentaires sont inutiles, ca peut arriver a tout le monde.

Si vous n'avez rien recu, vous n'etes pas concernes. Si vous avez execute le fichier joint au message suspect (c'est baaaad !), ne connectez plus votre ordinateur au reseau avant de l'avoir deverole.

Merci.

Thalsion

PS : Voici sa fiche complete...
Site source :
http://www.mcafee.com/
Lien direct vers la fiche :
http://vil.mcafee.com/dispVirus.asp?virus_k=99040&

Virus Name:
W32/Magistr_at_MM Date Added:
3/13/01 11:48:44 AM

VIRUS FAMILY STATISTICS
Over the Past 30 Days

Virus Name Infected
Files Scanned
Files % Infected
Computers
W32/Magistr.dam 4,786 216,287 0.53

W32/Magistr_at_MM 187,186 6,087,036 8.15

Virus Characteristics:
Update May 30, 2001:
AVERT has observed a steady increase in the prevalence of this virus over the last week amongst end users. End users are advised to update their DAT files immediately to protect themselves from this threat. W32/Magistr_at_MM is a combination of a files infector virus and e-mail worm.
-The viral code infects 32 bit PE type files (.exe) files in the
WINDOWS directory and subdirectories.
-The worm part is using mass mailing techniques to send itself to
email addresses stored in several places. The worm installs itself to run at each system startup.

Five minutes after the virus is run, it attempts a mailing routine. Email addresses are gathered from the Windows Address Book, Outlook Express mailboxes, and Netscape mailboxes (address found in the email messages within existing mailboxes are gathered), and these file locations and addresses are saved to a hidden .DAT file somewhere on the hard disk (varies). The messages sent by the worm contain varying subject headings, body text, and attachments. The body of the message is derived from the contents of other files on the victim's computer. It may send more than one attachment and may include non .EXE or nonviral files along with an infectious .EXE file.

The virus proceeds by infecting 32 bit PE (Portable Executable) type .EXE files found in the WINDOWS SYSTEM directory and subdirectories. The viral code is encrypted, polymorphic, and uses anti-debugging techniques to make it difficult detected. Email addresses have been seen encrypted in infected files. These addresses are believed to represent other users that have also been infected from the same point of origin.

In the decrypted body of the virus code, the following comments exist:

ARF! ARF! I GOT YOU! v1rus: Judges Disemboweler. by: The Judges Disemboweler.
written in Malmo (Sweden)

W32/Magistr_at_MM has a payload routine that on some systems may result in cmos/bios info being erased as well as destroying sectors on the hard disk.

Send This Virus Information To A Friend?

Indications Of Infection:
- Increase in size in .EXE files (adds 24Kb or more)

Infected files use a modified access date of the time of the infection
Presence of a newly created .DAT file containing email addresses (representing those users which were sent the virus)
-Entry in WIN.INI RUN=(App)
-Entry in Registry, run key value:
HKLM\Software\Microsoft\Windows\CurrentVersion\ Run\AppName (varies)=C:\WINDOWS\SYSTEM\(App).EXE (varies)

Method Of Infection:
This worm which arrives as an .EXE file with varying filenames. Executing this attachment infects your machine which is used to propagate the virus.

When first run, the virus may copy one .EXE file in the WINDOWS or WINDOWS SYSTEM directory using the same name with an altered last character.

For example, CFGWIZ32.EXE becomes CFGWIZ31.EXE, PSTORES.EXE becomes PSTORER.EXE, etc.
(this naming convention seems to be consistent where the last character of the filename is decreased by a factor of 1)

This copy is then infected and a WIN.INI entry, or a registry run key value may be created, to execute this infected file upon system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ CFGWIZ31=C:\WINDOWS\SYSTEM\CFGWZ31.EXE This copied executable infects other PE .EXE files in the SYSTEM directory and subdirectories, when run. It also infects over open network shares.

This virus will create a .DAT file on the local file system which contains strings of the files used to grab email address from (.dbx, .mbx, .wab), and also strings of email addresses which will be used as a target list. The .DAT file will be named after the machine name, but in an offset method. For instance, here is a corresponding list of letter equivalents used:

original letter           corresponds to
     a             ->           y
     b             ->           x
     c             ->           w
     d             ->           v
     e             ->           u
     f             ->           t
     g             ->           s
     h             ->           r
     i             ->           q
     j             ->           p
     k             ->           o
     l             ->           n
     m             ->           m
     n             ->           l
     o             ->           k
     p             ->           j
     q             ->           i
     r             ->           h
     s             ->           g
     t             ->           f
     u             ->           e
     v             ->           d
     w             ->           c
     x             ->           b
     y             ->           a
     z             ->           z

Numbers are not affected. So a machine name of ABC-123 would have a .DAT file on the local system named YXW-123.DAT.

Removal Instructions:
Use specified engine and DAT files for detection and removal.

Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.

Disabling the Restore Utility

Right click the My Computer icon on the Desktop.
Click on the Performance Tab.
Click on the File System button.
Click on the Troubleshooting Tab.
Put a check mark next to "Disable System Restore".
Click the Apply button.
Click the Close button.
Click the Close button again.
You will be prompted to restart the computer. Click Yes. NOTE: The Restore Utility will now be disabled.
Restart the computer in Safe Mode.
Run a scan with VirusScan to delete all infected files, or browse the file's located in the C:\_Restore folder and remove the file's.
After removing the desired files, restart the computer normally. NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.

Virus Information:

Discovery Date: 3/12/01
Origin: Europe
Length: Varies, adds at least 24 Kb
Type: Virus
SubType: worm
Risk Assessment: Medium

Aliases
I-Worm.Magistr (CA), Magistr (F-Secure), PE_MAGISTR.A (Trend), W32.Magistr.24876_at_mm (Symantec) , W32/Disemboweler (Panda), W32/Magistr-a (Sophos)