IWorm_Magistr

I-Worm Magistr appeared in the middle of March 2001. According to information contained in the virus itself, it has been written in Malmö, Sweden. Some virus writers have recently been caught and heavily punished - such "signatures" could be use to mislead investigators in the future.

This virus is a polymorphic EXE infector that combines tricks from quite a few recent worms and viruses. Its payload can be very damaging as it bears a close resemblance to CIH/Tchernobyl's disk and BIOS trashing routines. Windows 95, 98 and ME users might suffer dire consequences if they let the worm activate on their system.

The worm spreads via e-mail, through the now well established mechanism of parsing the address books of Outlook Express, Netscape Messenger and Internet Mail and News. Like Happy99, the virus keeps a list of the e-mail adresses it was sent to and will not resend itself to the same user twice. On a local basis, it is able to explore all available drives and infect PE (portable executable - the standard executable file format under the 32 bit versions of Windows) files it finds.

Once it activates, the virus will attempt to trash files, overwriting them with a "YOUARESHIT" message. On an unprotected operating systems, the disk will be trashed and a bios flashing will be attempted.

F-Secure Anti-Virus detects that worm with the latest update applied. Once again, we cannot stress enough the importance of keeping your signature files up-to-date and abstaining from executing e-mail attachments.