Viruses, Viruses Everywhere! from the August 2001 Actrix Newsletter

By Jeremy Fairbrass

Thank you Jeremy for this article on two common viruses at present. As this newsletter was getting ready for publication, another virus has just been discovered. It spreads in the same way as the two under discussion here, so it is expected that this third virus will become as widespread as quickly. I have already been,  it from three separate sources. Plese see the footnote to this article. Ed.

There are a couple of viruses doing the rounds at the moment. Both are quite widespread, and both are rather nasty. They are known as the "Magistr" and the "Hybris" viruses. You have probably already come across them. Some readers may well have been infected.

Magistr

The Magistr virus, officially called "W32.Magistr@mm", has the nastiest payload of the two. When it infects a computer, it scans that computer for as many email addresses as it can find, by searching through the Address Book, and the email folders of Outlook or Netscape. It makes a list of all it can find, and then it emails a copy of itself on to all those email addresses.

The email it sends to these addresses will have either one or two attachments to it. Firstly it will have an EXE or an SCR file attached to it. This file has been taken from the infected computer's hard drive, and has been infected with the virus itself. Also, the virus will scan the infected computer for DOC or TXT files (Microsoft Word Document files or Text files), and will grab some text at random from inside one of these files and use that text to form the subject and message body of the email it sends out to the addresses it found. This gives the email the appearance of being legitimately typed by the owner of the infected computer, although the text used will usually not make much sense as it has been taken at random from the middle of one of the DOC or TXT files. There is a 20% chance that the virus will attach the actual DOC or TXT file to the email as well.

The virus will infect numerous EXE or SCR files on the hard drive of the infected computer as well, and leave them there on the hard drive. It also has the ability to scan any network drives for EXE or SCR files to infect. What's more, the virus will configure Windows to always execute the virus each time Windows is restarted, and can also configure any networked computers to activate the virus upon restart. The worst damage that the virus can do (but doesn't always do) is attempt to erase the computer's CMOS and BIOS (the part of the motherboard that allows the computer to actually boot and work), and it may also attempt to delete or overwrite as many files as it can on the hard drive.

The only way to easily clean this virus from an infected computer is to use antivirus software to do a full scan of the infected hard drive. Some infected files may be able to be successfully cleaned, and others may be permanently damaged and may need replacing.

If you receive an email from someone that contains an EXE or SCR file attachment, and which has a message body that consists of text that doesn't seem to make much sense or seems to be out of context or incomplete, then the email may contain the Magistr virus (inside the EXE or SCR attachment). As such, you should delete the email from your Inbox, and also delete it from your Deleted Items folder, and then send a note back to the sender of the email to let them know that they may have the virus on their computer. As long as you don't open or run the attachments, you will be okay. However I would highly recommend that you have up-to-date antivirus software installed on your computer that can detect such viruses as they arrive in your Inbox.

More info on the Magistr virus can be found at Symantec's website:

http://www.symantec.com/avcenter/venc/data/w32.magistr.24876@mm.html

and at McAfee's website:

http://vil.mcafee.com/dispVirus.asp?virus_k=99040.

Hybris

As for the Hybris virus, officially known as "W95.Hybris.gen", this is a "worm" that has a less-damaging payload than Magistr, but which is probably a lot more offensive in nature. When it infects a computer it scans the internet connection, over time, for any email addresses it can see. This includes email being,  and received, as well as webpages that are viewed in the web browser. When it finds an email address, it sends an email to that address. The email includes a file attachment that is infected with a copy of the virus. The name of the file attachment varies - earlier versions of the Hybris worm had a file attachment name of "dwarf4you.exe" or "sexy virgin.scr", and the body of the email included a short "story" about Snow White and the Seven Dwarves, and the email itself had a fake "From" address of hahaha@sexyfun.net. However, the Hybris virus also has the added ability to update itself over the internet. It can connect to a particular newsgroup and download plug-ins that have been left there for it. These plug-ins can give the virus the ability to do various other things.

One such plug-in that seems to be common at the moment makes the virus send out an email, to whatever email addresses it can find, that contains a rather unpleasant, ence or two in the message body. The wording basically consists of a string of quite offensive, pornography- or sex-related words that don't make any sense as a, ence. I'm not going to repeat any here! The email also contains an attachment which is infected with the virus. The attachment is usually an EXE file with a varying name. This variant of the virus is also clever enough to use a fake "From" address in the emails it sends out. The "From" address usually consists of a word like "celebrity", "Xena", or "famous", followed by the domain name of the recipient's ISP. There may be a few other words used also. So if the email was,  to an Actrix customer, the email would appear as though it came "from" celebrity@actrix.co.nz or Xena@actrix.co.nz or famous@actrix.co.nz. Of course these addresses are fake and don't really exist. But they would give the wrong impression that the offensive email was,   by another Actrix customer (in this example).

As with Magistr, the best way to remove the Hybris virus from an infected computer is to use an up-to-date antivirus program. And if you receive such an email, the best thing to do is delete it straight away, remembering to delete it from your Deleted Items folder too. If you have antivirus software on your computer, it may detect an incoming email as containing the virus, and it may be able to delete or remove the infected attachment, but it probably wouldn't have the ability to stop the email itself, with its offensive message body, from showing in your Inbox. To prevent this, you may need to set up a Message Rule that will filter and delete the emails, based on key words in the body. This can be done in Outlook Express by clicking on the Tools menu and selecting Message Rule. You can contact our Help Desk for assistance with this, or consult a past newsletter article on Outlook Express Message Rules here.

Note that the emails,  out by both of these viruses are invisible to the user of the infected computer. The user will usually have little, if any, indication that their computer is infected, if they aren't using any antivirus software, or if it has not been .

And, of course, we have to stress again, it is dangerous to click attachments you are unsure of. The incredibly high incidence of this virus suggests that waaaay too many people are unaware of this danger.

**Stop Press** New Sircam Virus, discovered 17 July 2001:

The following is a brief summary of what can be found about this virus at the symantec (Norton's anti-Virus) web site.

This worm arrives as an email message with the following content:

Subject: The subject of the email will be random, and will be the same as the file name of the attachment in the email.
Message: The message body will be semi-random, but will always contain one of the following two lines (either English or Spanish) as the first and last, ences of the message.

Spanish Version:
First line: Hola como estas ?
Last line: Nos vemos pronto, gracias.
English Version:
First line: Hi! How are you?
Last line: See you later. Thanks

Between these two, sentences, some of the following text may appear:

Spanish Version:
Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informaci=n que me pediste
English Version:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I send you
This is the file with the information that you ask for

When executed, the worm performs a few nasty actions including possibly deleting all your files on October 16. As I've already stated, only a few days after initial discovery, this virus is already prevalent in New Zealand. Make it a general rule - delete any email you receive that has an attachment you didn't ask for or don't recognise!