I-Worm.Magistr.b
Description I-Worm.Magistr.b
This is an improved version of the original "Magistr" email worm and Win32 PE EXE files infector.
The differences are:
The payload routine is imoroved by another branch that will overwrite a WIN.COM file in the Windows directory and an NTLDR file in the C: root directory with a program that erases hard drive data upon start-up. This is done for local and for network shared drives as well.
While infecting a local file, this virus encrypts an entry routine with a key that depends on the computer's name. This causes infected-machine disinfection to be much more difficult.
To spread via e-mail, the worm also looks for Eudora email data as well.
While infecting network drives the worm looks for more Windows directories names:
WINNT
WINDOWS
WIN95
WIN98
WINME
WIN2000
WIN2K
WINXP
The worm copy is then registered in WIN.INI and SYSTEM.INI files in the following sections:
WIN.INI: Windows Run
SYSTEM.INI: boot shell
The worm looks for GIF files, and can send GIF images out of the computer, as well as clean DOC files (as the original version does).
The worm destroys .NTZ files each time if such files are located. It also attempts to terminate the ZoneAlarm firewall if it is installed, but fails and ZoneAlarm continues to protect the machine.
Check other viruses! Be aware! Use Antiviral Software
BackTime.528
Description BackTime.528
This is a dangerous memory-resident virus. It hooks INT 8 (timer), and INT 21h and hits COM files by a standard way when they are executed.
The virus contains the text "BackTime". This virus sets the system timer in back direction: when the INT 8 is called the virus decrements the content of timer counter. At a result the programs that uses the timer characteristics of computer (like a BenchMarks) are hang-up.
Bad.389
Description Bad.389
It's a harmless memory resident parasitic virus. It hooks INT 21h and infects .COM-files that are loaded into the memory. On the first start it types "Bad command or file name" and returns to DOS.
|