Virus in TO PROVIDE A LINK TO ANOTHER

[Lionel Mrocki <amrocks...>]

Warning, the posting "To provide a link to another" contains a
virus.  Information below from Norton Anti-Virus.

32(dot)Magistr(dot)39921 (at) mm

Discovered on: September 3, 2001
Last Updated on: January 9, 2002 at 07:42:07 AM PST



Due to an increased number of submissions, Symantec has upgraded
this virus to a Category 3 rating on 9/6/2001.

W32(dot)Magistr(dot)39921 (at) mm is a new variant of W32(dot)Magistr(dot)24876 
(at) mm(dot)

Also Known As: I-Worm.Magistr.b, W32(dot)Magistr(dot)B (at) mm,
W32/Magistr(dot)b (at) MM, Magistr(dot)32768 (at) mm

Type: Virus, Worm

Infection Length: 39,921 bytes

Virus Definitions: September 4, 2001

Threat Assessment:

Wild: Medium
Damage: High
Distribution: High


Wild:

Number of infections: 50 - 999
Number of sites: 3 - 9
Geographical distribution: Medium
Threat containment: Moderate
Removal: Moderate

Damage:
Payload: Large scale e-mailing: Uses email addresses from the
Windows and Eudora Address Book files, Outlook Express Sent Items
folder, and Netscape Sent Items files.
Causes system instability: Overwrites hard drives, erases CMOS,
flashes the BIOS.
Releases confidential info: It could send confidential Microsoft
Word documents to others.

Distribution:

Subject of email: Randomly generated text that can be up to 60
characters long.  Name of attachment: One randomly named infected
executable and several randomly selected text or document files
Target of infection: All Windows PE files that are not .dll
files.

Technical description:

Here is a list of the additional features and behavioral
differences between W32(dot)Magistr(dot)39921 (at) mm and
W32(dot)Magistr(dot)24876 (at) mm:

Aware of Eudora address books (listed in Eudora.ini.)
Deletes *.ntz while searching for files.
Attempts to disable ZoneAlarm's user interface (this does not
disable the ZoneAlarm firewall functionality).
Adds an entry to the Shell=explore.exe line in the Boot section
of System.ini, calling the W32.Magistr.Trojan.
Searches for more Windows folders (Winnt, Windows, Win95, Win98,
Winme, Win2000, Win2k, Winxp.)
Emails an attachment that has a random extension (.exe, .bat,
.pif, or .com.)
Occasionally attaches .gifs to emails.
The payload overwrites the files Ntldr (Windows NT/2000/XP) and
Win.com (all Windows 32 OSs) on all drives with code that causes
it to store garbage data in the first sector of the first IDE
hard drive.

--
Regards,

Lionel Mrocki and Karen Amos

"The day Microsoft makes something that doesn't suck is probably
the day
 they start making vacuum cleaners." -Ernst Jan Plugge

*************************************************************************************

Visit <<http://www.klezmania.com.au>> for the latest information
on
KLEZMANIA;  Performance dates, Sound files, Photos and more.

Visit
<<http://members.optushome.com.au/amrocks/karenlionel.html>>
to see our family.

*************************************************************************************