North Iowa Area Community College
 WebAdvisor / NIACC E-Mail
Directory / Departments
Maps & Directions
Search / Site Map
Home / Calendar
 

The first step to ward off a virus attack is to update your virus signature files to the latest version - it will notify you of files infected with this strain of the virus.  NIACC's Technology Services intranet page has a 'Tech Tips' section which will guide you through the process of updating these files

In addition, feel free to contact the NIACC Technology Help Desk at x4357 if you need any assistance with this process, if you feel your computer has been infected with a computer virus, or if you have any questions about a computer virus.

 McAfee Information by NIACC

Virus Update: Friday, September 7, 2001 - W32.Magistrb (W32/Magistr.b@MM)

A new and potentially destructive virus is making has appearred. The virus is transmitted through an executable email attachment (it ends with .EXE).

**** DO NOT OPEN THIS ATTACHMENT! ****

**** Delete the message and the attachment ****

If you have already opened the attachment, contact the Technology Services Help Desk immediately at ext 4357 (HELP).

NIACC's Technology Services department has updated the email server in an attempt to prevent any future messages with these characteristics from being delivered. However, some infected messages may already have been distributed.

Virus Characteristics
When active, the virus (worm) has the following 'characteristics'...

Large scale e-mailing: Uses email addresses from the Windows and Eudora Address Book files, Outlook Express Sent Items folder, and Netscape Sent Items files.

System Instability: Overwrites hard drives, erases CMOS, flashes the BIOS.

Releases confidential info: It could send confidential Microsoft Word documents to others.

Virus Payload

W32/Magistr@MM is a combination of a files infector virus and e-mail worm.
-The viral code infects 32 bit PE type files (.exe) files in the WINDOWS directory and subdirectories.
-The worm part is using mass mailing techniques to send itself to email addresses stored in several places. The worm installs itself to run at each system startup.

Five minutes after the virus is run, it attempts a mailing routine. Email addresses are gathered from the Windows Address Book, Outlook Express mailboxes, and Netscape mailboxes (address found in the email messages within existing mailboxes are gathered), and these file locations and addresses are saved to a hidden .DAT file somewhere on the hard disk (varies). The messages sent by the worm contain varying subject headings, body text, and attachments. The body of the message is derived from the contents of other files on the victim's computer. It may send more than one attachment and may include non .EXE or non-viral files along with an infectious .EXE file.

The virus proceeds by infecting 32 bit PE (Portable Executable) type .EXE files found in the WINDOWS SYSTEM directory and subdirectories. The viral code is encrypted, polymorphic, and uses anti-debugging techniques to make it difficult detected. Email addresses have been seen encrypted in infected files. These addresses are believed to represent other users that have also been infected from the same point of origin.

In the decrypted body of the virus code, the following comments exist:

ARF! ARF! I GOT YOU! v1rus: Judges Disemboweler.
by: The Judges Disemboweler.
written in Malmo (Sweden)

W32/Magistr@MM has a payload routine that on some systems may result in cmos/bios info being erased as well as destroying sectors on the hard disk.

Prevention

This virus is known and included in all virus signatures starting with the 4158 DAT release. Users are reminded to regularly update to the current engine and DATs to ensure maximum protection against today's threats. Note: Ensure that the extensions .VBS and .LNK is included when scanning. This is a default setting with product version 4.5 and later. the .LNK extension is a default in DAT versions 4149 and later - you should double-check this configuration setting.

NIACC's Technology Services department has updated the email server in an attempt to prevent any future messages with these characteristics from being delivered. However, some infected messages may already have been distributed.

NIACC's Technology Services intranet page has a 'Tech Tips' section which will guide you through the process of updating the virus signature (.DAT) files and how to include VBS and LNK documents in the scanning process.<http://www.niacc.edu/admin/ts/documentation/virus_autoupdate.html>.

The following sites provide additional information and/or fixes for the virus:

Network Associates / McAfee : http://vil.nai.com/vil/virusSummary.asp?virus_k=99040

Norton Antivirus http://www.symantec.com/avcenter/venc/data/w32.magistr.39921@mm.html

This information is also available on NIACC's Technology Services intranet page at http://www.niacc.edu/admin/ts/virusupdate_20010803.html.

If you have any additional questions or suggestions, feel free to contact me or the Technical Support Help Desk by dialing 'HELP' (x4357)

Past Virus Postings

AnnaKournikova

SirCam

 

 

Back to Top

PDF files require the free Adobe Acrobat Reader Abobe Acrobat Reader Logo

 

   
Return to NIACC Web Site Return to WebAdvisor

 Hit Counter

  Home | Search | Calendars | Directory | NIACC News | Contact Us

North Iowa Area Community College, 500 College Drive, Mason City, IA 50401
641-423-1264 or 1-888-GO NIACC
www.niacc.edu