W32/Magistr-A

Aliases	W32/Magistr@MM I-Worm.Magistr PE_MAGISTR.A W32.Magistr.24876 W32/Disemboweler W32.Magistr/MM Begemont
Category	Viruses and Spyware
Type	Virus
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Included in our products from	May 2001 (3.45)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing infected executable files.

Editing the registry

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\ CurrentVersion\Run\<infected filename>

and delete it if it exists.

Close the registry editor.

Editing Win.ini

At the taskbar, click Start|Run and type Sysedit. Bring Win.ini to the front. In the [windows] section, search for a line beginning with 'Run=' and delete any references to the files you removed. Delete only that reference, not any other text.

Reboot your computer.

More Information

Summary
Action
More Information

Please note: Some users get confused between this virus and the SULFNBK and JDBGMGR hoaxes.

W32/Magistr-A is a polymorphic Windows 32 executable file virus which spreads by infecting files and via email. Magistr includes highly destructive code which - if triggered - can delete all files from local and network drives, wipe the CMOS settings, and flash the BIOS chip of your computer.

The virus searches the user's address book, mailboxes and other files present on the computer for email addresses. The virus specifically targets addresses from Outlook Express, Netscape Navigator and Internet Mail and News. It then sends itself to these email addresses using its own SMTP client.

The email message it sends has a randomly generated subject, body text and attached filename.

Filenames that the virus can use include:

CFGWIZ32.EXE CHLINST.EXE DPLAYSVR.EXE MAKETAG.EXE MKCOMPAT.EXE MLSET32.EXE MSOOBD.EXE MSOOBE.EXE OEMRNCE.EXE SETMODD.EXE SUCATREG.EXE SULFNBK.EXE UNREGASF.EXE

Please note that these files are often found on uninfected systems, so their mere presence on your computer is not necessarily an indication of infection by this virus.

W32/Magistr-A will attempt to infect files in shared network resources. This includes files in both mapped drives and named shared areas.

The virus contains the following text:

ARF! ARF! I GOT YOU! v1rus: Judges Disemboweler. by The Judges Disemboweler written in Malmo (Sweden)

The virus also includes a series of words and phrases, including the following:

sentences you sentences him to sentence you to ordered to prison convict judge circuit judge trial judge found guilty find him guilty affirmed judgment of conviction verdict guilty plea trial court trial chamber sufficiency of proof sufficiency of the evidence proceedings against the accused habeas corpus jugement

It also contains similar phrases in French and Spanish. W32/Magistr-A is a polymorphic Windows 32 executable file virus which spreads by infecting files and via email. Magistr includes highly destructive code which - if triggered - can delete all files from local and network drives, wipe the CMOS settings, and flash the BIOS chip of your computer.