When you combine something proliferating as
ILOVEYOU and something destructive as
CIH, this is the result.
If you are in a hurry, here are some parts you can skip to:
14:45
Icons running away from the cursor payload
16:00, 27:50 What mail sent by the worm looks like
23:06 Very destructive payload
26:05 What some overwritten files look like and a restart
30:45 "
Copyright message" inside the decrypted virus
Turn down your volume at 19:08, 21:45, and 27:14 as the PC beeps can be loud
Bugs in Magistr
When Magistr imports the
function it needs, it will walk through an astonishing number of functions (3,
000,000,000 functions compared to the 700 exported by
KERNEL32.DLL). This is because it compares the address of the NumberOfNames entry in the export table (which is that very large number) to the number of functions it has thus far encountered. This does not seem to have cause a problem because Magistr does find the functions it needs.
String comparison functions will return a match even if the last character is different.
The polymorphic generator may generate code that does not return to the host properly.
Changes from the original sample
Instead of comparing
100 contacts to activate payloads, this sample will compare 12.
When the virus encounters a sleep function, it will sleep for 1 second.
The virus will use the
HELO SMTP command with HELO [network name] not HELO [
SMTP server] because
Mercury does not accept it.
Description of Magistr
For a more thorough analysis please read
Peter Ferrie's Magisterium
Abraxas:
http://vxheaven.org/lib/apf38
.html
Magistr becomes resident by running a thread under explorer.exe's process. The worm gets the user's e-mail info as well as contacts stored in .
DBX and
.WAB files. If that succeeds, then the thread will always run (infinite loop) unless explorer.exe is terminated. After that the worm will test for internet connection and then send mail to 4 recipients at a time. It composes the subject and body from random .
DOC/.
TXT files stored on the user's drive. It will also attach an infected file and with a 20% chance will attach the .DOC/.TXT file from where the virus composed the subject/body. When finished, Magistr will find up to 20 files to infect and adds itself 80% of the time to the
RUN key. It will also infect shared networked resources with full access.
Finally the worm tests for payloads
. If the worm sends mail to more than 100 recipients and a month has passed and 3 matches from a list of 55 phrases in a file for 3 files are found, the virus will delete files, overwrite others with "YOUARESHIT", and flash the
BIOS only under
Win9x. If the worm sends mail to more than 100 recipients and two months have passed, then on odd days icons will be running away from the cursor. After three months, regardless of the amount of recipients the worm sent mail to, the worm will delete files found by its search routines.
- published: 23 Jun 2015
- views: 1824