Content
W32/Magistr.b@MM
- Type
- Virus
- SubType
- File Infector
- Discovery Date
- 09/03/2001
- Length
- Minimum DAT
- 4158 (09/12/2001)
- Updated DAT
- 4745 (04/20/2006)
- Minimum Engine
- 5.1.00
- Description Added
- 09/03/2001
- Description Modified
- 04/09/2002 12:32 PM (PT)
Tab Navigation
Characteristics
This variant of W32/Magistr.a@MM is considered a medium risk due to the number of samples received by AVERT.
The variant differs in several ways.
- It uses a more complex encryption technique.
- It deletes all .NTZ files on the local machine.
- It terminates the ZoneAlarm firewall user interface process if it is running (not the entire program).
- It creates a SYSTEM.INI [boot]shell value to run itself at startup.
- It uses random file extensions on the executables which it sends (.bat, .com, .exe, .pif)
- The file name of the attachment that it sends out may be derived from a word within files on the infected system
- It has also been reported to retrieve email addresses from Eudora mailbox files (.MBX), overwrite the WIN.COM/NTLDR file with a program to erase data from the hard disk (the trojan is detected as QZap195, the WIN.COM or NTLDR must be replaced from backups), and send .GIF files found on the local machine to others along with itself.
The characteristics mentioned above are in addition to those found under the W32/Magistr.a@MM description.
Symptoms
See W32/Magistr.a@MM description.
Method of Infection
See W32/Magistr.a@MM description.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- I-Worm.Magistr.b (AVP)
- PE_MAGISTR.B (Trend)
- Qzap195
- W32.Magistr.39921@mm (NAV)
- W32/Magistr.b.dam1
- Win32.Magistr.B (CA)
Characteristics
Characteristics -
This variant of W32/Magistr.a@MM is considered a medium risk due to the number of samples received by AVERT.
The variant differs in several ways.
- It uses a more complex encryption technique.
- It deletes all .NTZ files on the local machine.
- It terminates the ZoneAlarm firewall user interface process if it is running (not the entire program).
- It creates a SYSTEM.INI [boot]shell value to run itself at startup.
- It uses random file extensions on the executables which it sends (.bat, .com, .exe, .pif)
- The file name of the attachment that it sends out may be derived from a word within files on the infected system
- It has also been reported to retrieve email addresses from Eudora mailbox files (.MBX), overwrite the WIN.COM/NTLDR file with a program to erase data from the hard disk (the trojan is detected as QZap195, the WIN.COM or NTLDR must be replaced from backups), and send .GIF files found on the local machine to others along with itself.
The characteristics mentioned above are in addition to those found under the W32/Magistr.a@MM description.
Symptoms
Symptoms -
See W32/Magistr.a@MM description.
Method of Infection
Method of Infection -
See W32/Magistr.a@MM description.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
