Hardware-trashing virus spreads by email

[InfoSec News <isn () C4I ORG>]

http://www.theregister.co.uk/content/8/17604.html

By: John Leyden
Posted: 14/03/2001 at 17:53 GMT

An new email-borne virus uses a number of fresh tricks designed to
fool unwary Internet users.

Magistr is a polymorphic Windows 32 executable file virus which
features the facility to reproduce itself within emails with randomly
subject, body text and attachment names. It also carries a destructive
payload containing code similar to the hardware destroying Kriz virus.

Like Kriz, Magistr can destructively flash a PC's BIOS as well as
overwrite data. If users click on the executable attachment of an
infected message they risk have their data overwritten and replaced by
text files containing the message: "You think you are God, but you are
only a piece of shit."

The virus searches a user's address book, mailboxes and other files
present on an infected machine for email addresses. It specifically
targets addresses from Outlook Express, Netscape Navigator and
Internet Mail and News. Once a list of email addresses has been
obtained, Magistr sends itself to these addresses using its own email
client.

The virus, which spreads by infecting files and via email, has
affected a number of users but its outbreak seems to have been
contained. Antivirus vendors are in the process of updating virus
definition files so that Magistr is detected, and protection is
largely in place.

Alex Shipp, senior anti-virus technologist at MessageLabs, which scans
customers email for malicious code, said the company had intercepted
26 copies of the virus - so far. By comparison, MessageLabs caught
9,000 copies of the Anna Kournikova bug in an equivalent period.

Graham Cluley, of antivirus vendor Sophos, claimed that Magistr
strengthens arguments for practicing "safe computing", as users are
unable to look for a specific subject header or file name in order to
identify the virus.

Safe computing means that you do not open attachments to suspect,
unexpected emails and you us up-to-date antivirus software, said
Cluley, who added firms should also consider blocking executable files
at corporate gateways because of the risk they pose.

This would mean that only IT staff could install software obtained
over the Internet on machines but Cluley said the policy was still
worth considering in the interests of security.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".