Re: I have a virus.

["William J. Larson" <bill_larson@CSI.COM>]

I think its PC only. And I think it would be discarded by Phys-L anyway. I
did not intend to post to Phys-L

Cheers,
Bill Larson
Geneva, Switzerland


----- Original Message -----
From: Bernard Cleyet <georgeann@REDSHIFT.COM>
To: <PHYS-L@lists.nau.edu>
Sent: 2001 April 19 5:00 AM
Subject: Re: I have a virus.


> Is this an IBM only virus, or does it infect Mac's?  What if one has
virtual PC?
> Does this sensitize a Mac. for all PC viri?
>
> bc
>
>
> Doug Craigen wrote:
>
> > For anybody who suspects they may have this virus - I know it well as I
> > cleaned off two friends computers last weekend.  As far as email worms
> > go, this one is nasty.
> >
> > You can get a free tool at http://www.avp.com/ (bottom of the page)
> > which is only around 200K and cleans it off your hard computer (if
> > you're not infected, you will find that out too).  The benefit here is
> > that you can put this on a floppy, that way you can boot up the computer
> > and clean it immediately, without waiting to download the latest virus
> > definitions (this one is only a month old).  If you're online
> > downloading on an infected computer, the virus is likely busy sending
> > itself to people in your address book and "sent" mail folder.
> >
> > Norton does detect and clean this one too (I deliberately placed but
> > didn't run an infected file on my own computer to check), but your
> > definitions have to be up to date.  McAfee's web site indicates they
> > haven't caught on to the various "payloads" yet, as they only have it
> > listed as a medium threat.
> >
> > "William J. Larson" wrote:
> > > I've sent this message to every person in my mail address book. :-|
> > > I hope this message was not necessary for you, but a useless message
is
> > > better than a virus. :-|
> > >
> > > I got a virus 12 hours ago.
> > >
> > > It appears that most office systems are repelling it (& complaining to
me.)
> > > But if you have your own computer at home & are not running an
anti-virus
> > > program, buy one today.
> > >
> > > My virus will or already has sent you email with an .exe. If you get
it,
> > > delete it immediately.
> > >
> > > My version of Norton Anti-Virus has not deleted my virus. I have sent
> > > several
> > > messages to Norton tech support. When they wake up on the East coast,
Iâ?Tll
> > > probably get a useful answer & kill it.
> > >
> > > It seems to be called PE_MAGISTR.A. Itâ?Ts very bad. After 1 month it
begins
> > > to kill your computer! I have just backed up all my personal files
(400 MB).
> > > I'm VERY, VERY sorry.  :-((
> > >
> > > Good luck,
> > > Bill Larson
> > > PS wish me luck!
> > >
> > > PPS from:
> > >
> > > http://www.wopr.com/wwinfo/virframe.htm
> > >
> > > W32.Magistr.24876@mm
> > > Discovered on: March 13, 2001
> > > Last Updated on: April 4, 2001 at 11:55:55 AM PDT
> > >
> > > pf/w32.magistr.24876@mm.htmlPrinter-friendly version
> > > Due to the increased number of submissions, SARC has updated the
threat
> > > level of this virus from 3 to 4.
> > > W32.Magistr.24876@mm is a virus that has email worm capability. It is
also
> > > network aware. It infects Windows Portable Executable (PE) files, with
the
> > > exception of .dll system files, and sends email messages to addresses
that
> > > it gathers from the Outlook/Outlook Express mail folders (.dbx, .mbx),
the
> > > sent items file from Netscape, and Windows address books (.wab), which
are
> > > used by mail clients such as Microsoft Outlook and Microsoft Outlook
> > > Express,. The email message may have up to two attachments, and it has
a
> > > randomly generated subject line and message body.
> > > Also Known As: I-Worm.Magistr, PE_MAGISTR.A, W32.Magistr@mm
> > > Category: Virus, Worm
> > > Infection Length: varies
> > > Virus Definitions: March 13, 2001
> > > Threat Assessment:
> > > Wild:
> > > ï,· Number of infections: 50 - 999
> > > ï,· Number of sites: More than 10
> > > ï,· Geographical distribution: Medium
> > > ï,· Threat containment: Moderate
> > > ï,· Removal: Moderate
> > > Damage:
> > > ï,· Payload:
> > > ï,· Large scale e-mailing: Uses email addresses from the Windows
Address Book
> > > files and Outlook Express Sent Items folder.
> > > ï,· Causes system instability: Overwrites hard drives, erases CMOS,
flashes
> > > the BIOS.
> > > ï,· Releases confidential info: It could send confidential Microsoft
Word
> > > documents to others.
> > > Distribution:
> > > ï,· Subject of email: Randomly generated text that can be up to 60
characters
> > > long.
> > > ï,· Name of attachment: One randomly named infected executable and
several
> > > randomly selected text or document files
> > > ï,· Target of infection: All Windows PE files that are not .dll files.
> > > Technical description:
> > >
> > > When a file that is infected by W32.Magistr.24876@mm is executed, it
> > > searches in memory for a readable, writable, initialized section
inside the
> > > memory space of Explorer.exe. If one is found, a 110-byte routine is
> > > inserted into that area, and the TranslateMessage function is hooked
to
> > > point to that routine. This code first appeared in W32.Dengue.
> > >
> > > When the inserted code gains control, a thread is created and the
original
> > > TranslateMessage function is called. The thread waits for three
minutes
> > > before activating. Then the virus obtains the name of the computer,
converts
> > > it to a base64 string, and depending on the first character of the
name,
> > > creates a file in either the \Windows folder, the \Program Files
folder, or
> > > the root folder. This file contains certain information, such as the
> > > location of the email address books and the date of initial infection.
Then
> > > it retrieves the current user's email name and address information
from the
> > > registry (Outlook, Exchange, Internet Mail and News), or the Prefs.js
file
> > > (Netscape). The virus keeps in its body a history of the 10 most
recently
> > > infected users, and these names are visible in infected files when the
virus
> > > is decrypted. After this, the virus searches for the Sent file in the
> > > Netscape folder, and for .wab, .mbx, and .dbx files in the \Windows
and
> > > \Program Files folders.
> > >
> > > If an active Internet connection exists, the virus searches for up to
five
> > > .doc and .txt files and chooses a random number of words from one of
these
> > > files. These words are used to construct the subject and message body
of the
> > > email message. Then the virus searches for up to 20 .exe and .scr
files
> > > smaller than 128 KB, infects one of these files, attaches the infected
file
> > > to the new message, and sends this message to up to 100 people from
the
> > > address books. In addition there is a 20-percent chance that it will
attach
> > > the file from which the subject and message body was taken, and an
> > > 80-percent chance that it will add the number 1 to the second
character of
> > > the sender address. This last change prevents replies from being
returned to
> > > you and possibly alerting you to the infection.
> > > After the mailing is done, the virus searches for up to 20 .exe and
.scr
> > > files, and infect one of these files. Then there is a 25-percent
chance, if
> > > the Windows directory is named one of the following:
> > > ï,· Winnt
> > > ï,· Win95
> > > ï,· Win98
> > > ï,· Windows
> > > that the virus will move the infected file into the \Windows folder
and
> > > alter the file name slightly. Once the file is moved, a run= line is
added
> > > to the Win.ini file to run the virus whenever the computer is started.
In
> > > the other 75 percent of cases, the virus will create a registry subkey
in
> > > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> > >
> > > The name of this subkey is the name of the file without a suffix, and
the
> > > value is the complete file name of the infected file. The virus then
> > > searches all local hard drives and all shared folders on the network
for up
> > > to 20 .exe and .scr files to infect, and add the run= line if the
\Windows
> > > folder exists in that location.
> > >
> > > If the computer has been infected for one month and at least 100
people have
> > > been sent an infected file, and if at least three files contain at
least
> > > three examples from the following list:
> > >
> > > sentences you
> > > sentences him to
> > > sentence you to
> > > ordered to prison
> > > convict
> > > , judge
> > > circuit judge
> > > trial judge
> > > found guilty
> > > find him guilty
> > > affirmed
> > > judgment of conviction
> > > verdict
> > > guilty plea
> > > trial court
> > > trial chamber
> > > sufficiency of proof
> > > sufficiency of the evidence
> > > proceedings
> > > against the accused
> > > habeas corpus
> > > jugement
> > > condamn
> > > trouvons coupable
> > > a rembourse
> > > sous astreinte
> > > aux entiers depens
> > > aux depens
> > > ayant delibere
> > > le present arret
> > > vu l'arret
> > > conformement a la loi
> > > execution provisoire
> > > rdonn
> > > audience publique
> > > a fait constater
> > > cadre de la procedure
> > > magistrad
> > > apelante
> > > recurso de apelaci
> > > pena de arresto
> > > y condeno
> > > mando y firmo
> > > calidad de denunciante
> > > costas procesales
> > > diligencias previas
> > > antecedentes de hecho
> > > hechos probados
> > > sentencia
> > > comparecer
> > > juzgando
> > > dictando la presente
> > > los autos
> > > en autos
> > > denuncia presentada
> > > then the virus will activate the first of its payloads. This payload
is
> > > similar to that of W32.Kriz, and it does the following:
> > > ï,· Deletes the infected file
> > > ï,· Erases CMOS (Windows 9x/Me only)
> > > ï,· Erases the Flash BIOS (Windows 9x/Me only)
> > > ï,· Overwrites every 25th file with the text YOUARESHIT as many times
as it
> > > will fit in the file
> > > ï,· Deletes every other file
> > > ï,· Displays the following message:
> > >
> > > Cheers,
> > > Bill Larson
> > > Geneva, Switzerland
> >
> > --
> >
> > \_/^\_/^\_/^\_/^\_/^\_/^\_/^\_/^\_/^\_/^\_/^\_/^\_/^\
> >
> > Doug Craigen
> >           http://www.dctech.com/physics/about_dc.html