Home / malware Win32.Magistr.B@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Magistr.B@mm is also known as N/A.
Explanation :
This virus is an improved and more stable version of the Win32.Magistr.A@mm.
It's decryption routine is more elaborate and the original data from the Entry Point is now encrypted with a key generated from the computer name. Because of this, cleaning the infected files is more difficult.
It is able to infect more computers connected in a network because it now looks for more Windows directory names than the previous version.
In network infection it searches for the following directory names:
WINDOWS
WIN95
WIN98
WINME
WINNT
WIN2000
WIN2K
WINXP
and infects the files in those directories. After that it registers itself in WIN.INI and SYSTEM.INI under the [Windows] and [Run] sections for WIN.INI and under [boot] and [Shell] sections for SYSTEM.INI.
On the local machine it adds itself in the registry under the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
with the name of the first infected file and the value the path to that file.
This new version search for e-mail addresses in Eudora's address book, in addition to the previous e-mail clients such as Outlook Express, Netscape and so on.
The texts for e-mail body are now in French too. The word used to compose the message are in the following list:
habeas corpus
judgement
condamnИ
trouvons coupable
Ю rembourse
sous astreinte
aux entiers depens
aux depens
ayant delibere
le present arret
vu l'arret
conformement a la loi
execution provisoire
ordonne
audience publique
a fait constater
cadre de la procedure
magistrad.
Now the virus sends trough e-mail not only doc files but .GIF images too. The virus checks for existence of ZoneAlarm firewall and if it exists, the virus terminates it.Last update 21 November 2011
