The Magistr virus is a complex polymorphic worm which spreads via email and contains virus components to infect PE files [*.EXE, *.SCR] in Windows environment. Local machine and PCs connected to the local network (LAN) are usually infected by this virus. It is said to contain an extremely dangerous payload which will damage the motherboard and the hard disk. The user’s confidential information gets distributed by e-mailing your document and text files.
The virus arrives as an e-mail attachment, when the infected e-mail attachment is executed; it will search for Explorer.exe process in memory and will insert a 110 byte code in the writable section. Translate Message Function is hooked to point to that routine and waits three minutes. The system registry is thereafter scanned for e-mail clients Outlook Express, Netscape Messenger and Internet Mail. Based on the registry information, the e-mail address it collected from .wab, .mbx, .dbx files and will store in a DAT file to maintain the mailing list. The decrypted virus body contains the last 10 mailed addresses.
After the mailing is complete, Magistr will add “run=” command in Win.ini or modifies the registry to load next time automatically. The registry sub key added will be HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Then it searches for all local and network folders and infects twenty *.EXE and *.SCR files in one stretch. If windows folder exists in network machines, it will add “run=” command in the WIN.INI file to load on the next start up.