-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                        AL-2001.03  --  AUSCERT ALERT
                           W32/Magistr Virus/Worm
                                15 March 2001

===========================================================================

PROBLEM:  

	AusCERT has received information about a new virus known as the
	Magistr virus/worm. Described as "dangerous" by at least one
	anti-virus vendor, this virus combines a damaging payload with a
	potential for wide-ranging propagation.

	Magistr contains at least three primary threats to an infected
	host computer. It may potentially:

		Propagate via email and network, utilising common address
		book files and available network shares, respectively.

		Damage the infected host by corrupting system files,
		formatting hard disks and clearing CMOS and FLASH BIOS
		data.

		Release (by email propagation) confidential files,
		including Microsoft Word and text documents.

	This virus is polymorphic, and may arrive as an executable email
	attachment with variable filenames. When executed, the virus will
	copy a random .EXE or .SCR file in the system directory and infect
	this copy, adding a reference to the infected file in this registry
	key:

		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

	It may also add this filename to the "Run=" line in WIN.INI. A
	successful reboot of the computer will result in further infection
	of any Windows (PE) Portable Executable (except .DLL) files.

	Magistr is able to utilise various email address books for its
	distribution, including Outlook Express and Netscape mailboxes,
	as well as the Windows address book (.WAB). It proceeds to send
	itself to any addresses found using its own SMTP client, with
	random Subject: lines and executable filenames. Observed Subject:
	lines are as follows:

		sentences you
		sentences him to
		sentence you to
		ordered to prison
		convict
		judge
		circuit judge
		trial judge
		found guilty
		find him guilty
		affirmed
		judgment of conviction
		verdict
		guilty plea
		trial court
		trial chamber
		sufficiency of proof
		sufficiency of the evidence
		proceedings
		against the accused
		habeas corpus

	Similar phrases, in French and Spanish, may also be used.
	Accompanying the email message may be several, randomly selected,
	documents from the filesystem of the infected host computer.

	Magistr is network aware and if it has access to a windows network,
	will specifically search for folders named:

		WINNT
		WIN95
		WIN98
		WINDOWS
	
	adding a "Run=" line to any WIN.INI files found in directories
	of these names to ensure execution on startup.

	As an aid to identification, the executable virus contains the text:

		ARF! ARF! I GOT YOU! v1rus: Judges
		Disemboweler. by The Judges
		Disemboweler written in Malmo (Sweden)


PLATFORM:

	Magistr is a Win32 executable and poses a threat to 32 bit
	Microsoft Windows operating systems.


IMPACT:

	An infected computer may suffer file corruption and destruction.
	Additionally, routines designed to overwrite CMOS and FLASH BIOS
	data may result in an unbootable computer. The action of the virus
	in emailing random documents from the infected host may result in
	the loss of confidentiality. Mass mailing methods may lead to
	service denial on mail hosts. Due to the polymorphic nature of
	the virus, it is difficult to disinfect.


RECOMMENDATIONS:

	A. User Education

	System Administrators are urged to inform their users about proper
	precautions with regards to handling email attachments.

	AusCERT recommends that sites should update and check their virus
	defences and either delete or do not open any email messages or
	attachments that resemble those described above or in the following
	links.

	B. Update Anti-Virus Packages

	System administrators and users are urged to ensure that the latest
	Anti-Virus software is installed and that it is using the most
	current up-to-date virus databases.

	More information can be found at:

		http://www.europe.f-secure.com/v-descs/magistr.shtml
		http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=PE_MAGISTR.A
		http://www.symantec.com/avcenter/venc/data/w32.magistr.24876@mm.html
		http://www.sophos.com/virusinfo/analyses/w32mag.html
		http://ca.com/virusinfo/encyclopedia/descriptions/magistr24876.htm

	AusCERT is continuing to monitor this problem. 

- ---------------------------------------------------------------------------
For more information contact your Anti-Virus software vendor.
- ---------------------------------------------------------------------------

[AusCERT issues an alert when the risk posed by a vulnerability that may
not have been thoroughly investigated and for which a work-around or fix
may not yet have been developed requires notification.]

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
						       
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOrDnvyh9+71yA2DNAQH3FQP7BGRod0xrOezRTfSfB6qRe2EoLCDBS3A0
JD19Zj+Ux8QIshvaxaeCj2weWnyeJe0ZbFob0F2vaqsWs2/IwPhGGasOuujPY/Fc
z9rymV9kDER53LMeFdY57gM4od+hCJ3zB2/IEjlPrqo0uOk7fAQL295J1Rwv7sLM
Ja7/KoTNP/Q=
=u3gc
-----END PGP SIGNATURE-----