General discussion

  • Creator
    Topic
  • #2130355

    Moving Icons…virus?

    Locked

    by frank k ·

    2 friends from outside of work indicated that their machines at home are acting funky. I suspect a virus of some sort but I haven’t heard of one with this payload. It affects their ability to click on an icon by moving the icon when you move your cursor towards it. I’ve seen joke programs like this but they “swear” they didn’t open anything they shouldn’t have. Input would be appreciated.

All Comments

  • Author
    Replies
    • #3549765

      Moving Icons…virus?

      by maxwell edison ·

      In reply to Moving Icons…virus?

      Magistr.A Virus

      Alias: PE_Magistr.A, W32.Magistr, Magistr, Troj_Arf_Judge.A, Judge.A, Arf_Judge, I-Worm.Magistr, W32.Magistr@mm, W32.Magistr.24876@mm, W32/Disemboweler, W32/Magistr-A

      Operating System: Windows 95, Windows 98, Windows NT, Windows 2000, Windows ME

      Destructive Payload: Yes

      Virus Type: Trojan, Worm

      Infection Method: Email, Filecopy

      DISCOVERED: 13th March 2001
      VARIANT: 27th August 2001

      Application Info

      DESCRIPTION
      Magistr.A is a malicious trojan with worm capabilities. There is a high level threat of receiving this virus. This virus infects the system by infecting all files with a .exe and .scr extensions, with the exception of .dll files. It uses per-process residency in order to become memory resident. It does this by adding entries in WIN.INI and some registry entries.

      DISTRIBUTION
      This virus spreads itself by using SMTP based email clients such as MS Outlook, MS Outlook Express, Netscape Navigator, Netscape Messenger to send infected files up to 100 addresses in the infected system’s address book.

      The email that is sent have the following characteristics: Subject: Randomly generated text that can be up to 60 characters long. Body text: A random number of words from one document or text file on the infected system. Name of attachment: A .exe or .scr file smaller than 128 KB and can also include other non-viral files such as .doc, .txt or .js files.

      (continued…)

      • #3549764

        Moving Icons…virus?

        by maxwell edison ·

        In reply to Moving Icons…virus?

        .
        .
        Magistr also tries to connect to share in the network neighborhood. If it can connect to a network drive, it will try to copy itself to the following directories and add a “run=” line to the WIN.INI file on the remote machine to infect it on the next startup.

        DAMAGE
        This virus infects the system by infecting all files with a .exe and .scr extensions. This virus will stay in memory (“memory resident”). The actions that the worm causes depends on how many months the virus has been resident on the system including deleting files, replacing files with useless data, erasing Flash BIOS (Win 9x/ME), erasing CMOS (Win 9x/ME) and moving icons away from the mouse so that they can’t be run.

        The viral code is encrypted, polymorphic, and uses anti-debugging techniques which makes it difficult to detect. It also has a payload routine that on some systems may result in BIOS data being erased, as well as destroying sectors on the hard drive. Any File can become corrupted with Magistr.A.

        Leprechaun Software recommends:

        1. Customers ensure they are on the latest version of VirusBUSTER II as per the version date on our Web site
        2. Security backups are made frequently to secure data.
        3. Do not open files received in emails thatappear suspicious

        If in doubt, scan all hard drives with VirusBUSTER II, curing or quarantining infected files

        http://www.leprechaun.com.au/VirusBuster/Alert.asp?NewsID=80

        Maxwell

      • #3549761

        Moving Icons…virus?

        by maxwell edison ·

        In reply to Moving Icons…virus?

        .
        .
        Cut and paste the above link for the related links to repairs. (REMOVE SPACES from the pasted links.)

        Another source of information:

        http://www.ntsecurity.net/Panda/Index.cfm?FuseAction=Virus&VirusID=627

        http://www2.tntech.edu/its/news/magistr.htm

        Best of luck to you and your friends,

        Maxwell

      • #3549747

        Moving Icons…virus?

        by frank k ·

        In reply to Moving Icons…virus?

        Thanks…I’ve seen the mag virus floating around but never read the whole payload info.

    • #3549746

      Moving Icons…virus?

      by frank k ·

      In reply to Moving Icons…virus?

      This question was closed by the author

Viewing 1 reply thread