Magistr worm emerges, scarce but deadly
(IDG) -- Another worm is on the loose, and while only a handful of PCs have been struck since its discovery on Tuesday, its victims are in a world of hurt.
Magistr differs from similar recent headline-grabbers Anna Kournikova and NakedWife--this one is really mean.
Kournikova clogged e-mail servers and NakedWife damaged operating systems, but the victims could make repairs. Magistr goes way beyond that, trying to expose your private files, destroy your data, and cripple your PC so it won't even reboot.
"It's similar to other worms, but it's more sophisticated and destructive," says Pete Privateer, president of Pelican Security. Users of Pelican Security's SafeTnet product are already safe from the virus, he says.
Users of Norton Antivirus are also protected "if they download the latest virus signatures that can detect Magistr," says Stephen Trilling, director of Symantec's Antivirus Research Center.
How It Spreads
Magistr can spread three ways: by e-mail, on a local area network, or through shared disks, Privateer says. As with most viruses, a victim gets stung by opening an infected attachment. When the virus is triggered, Magistr scans the user's Outlook Express address book, then runs its own interal e-mail program to send messages to everyone in the book. The worm generates random subject headings, using text files from the PC as well as various English and Spanish phrases it carries along. The result: garbled, random messages that offer no telltale word combination for confused recipients of the correspondence.
Attached to each infected message is up to six files. Most of the files are text or Microsoft Word files, taken directly from the hard drive of the PC that sent it, he says. That means an attachment could be anything from a personal letter to a private financial document. The sixth file is an infected offspring of Magistr that may at first glance appear to be a harmless bitmap file--but a closer examination reveals a series of spaces followed by the .exe extension of an executable program. If the person who receives the message opens this infected executable file, Magistr begins again.
Magistr's spread may be limited because it requires a user action to initiate the worm's move to another machine, Privateer says. That means it won't likely be as prolific as its earlier siblings, which essentially exist to spread. But what Magistr lacks in quantity it makes up for in patience--and sheer destructive power.
One Nasty Payload
After sitting dormant for one month after arriving at a PC, the worm's payload activates--and begins destroying data and system files. Not only does it erase these files, it also rewrites an unfriendly phrase repeatedly in their place, making later retrieval of the deleted files nearly impossible, Privateer says.
The worm then attacks the CMOS and Flash BIOS of machines running Windows 95, 98, and ME, which is less secure than Windows NT and 2000 machines, he says. The CMOS is necessary to boot the PC.
"Once [the CMOS] is gone, the computer is useless, and you need to send it back to the vendor for repair," he says.
Once the worm has done its dirty work, and assuming the PC is still functional, it posts another nasty message, then enacts a final measure of cruelty: runaway icons. When a user tries to click on the icons, they move away from the cursor.
The Work of Pros?
The worm's intricate payload indicates it's no amateur production, Privateer says. While many worms are the products of wannabe hackers using virus-writing kits, Magistr appears to be the work of someone with programming knowledge. Some suggest a hacker or hacker group in Sweden called "The Judges Disembowler" wrote the worm.
Symantec's Trilling isn't sure what to make of the worm yet, noting that you can "sort of see previous types of viruses in there." However, that it carries its own e-mail handler does indicate a high level of sophistication, he adds.
Privateer says it's that level of sophistication that's most daunting, because this is just the stuff such high-level worm writers want us to see. Imagine what they're out there doing that we can't see, he says.
Security experts: Virus proves systems still vulnerable
RELATED IDG.net STORIES:
Naked Wife exposed as minor threat
Pelican Security Inc.
Study: Gadget sales flat
Protest slams Dell's use of prison labor
Steve Jobs keeps Apple in the limelight
N. Y. plans to heal skyline
Stocks rise on Case departure
Lieberman's presidential announcement today
New arrests may be linked to UK ricin scare
Jordan says farewell for the third time
Shaq could miss playoff game for child's birth
Ex-USOC official says athletes bent drug rules
|Back to the top|