Magistr, the worm.... what can I say, this is one of the
more disturbing virii. It can be delivered in your email with a variety of
possible subjects. The attachment can be delivered in a variety of files
such as: .pif .exe .com .doc .scr as well as others. |
|
The best advice I can give is I hope you have a good
anti-virus. If you don't, I suggest you get one. My
recommendations are: McAfee, PC-Cillin, F-Prot (Command Anti-Virus). |
|
When you are infected by this virus/worm you will notice very strange things happening on your pc such as icons on your desktop being afraid of your mouse and running away from it. You might have also received a nasty note from your computer. | |
For more information on this worm visit Symantec's site at: http://www.sarc.com/avcenter/venc/data/w32.magistr.24876@mm.html |
|
Legend: | |
%SystemRoot% | C:\Windows (In Windows NT or 2000 it will be C:\Winnt ) |
%SystemDrive% | C:\ |
%WinDir% | C:\Windows (In Windows NT or 2000 it will be C:\Winnt ) |
Files to clean: | What to look for: |
%SystemRoot%\System.ini
(C:\windows\system.ini)
****NOTE**** |
Under [boot] look for shell=explorer.exe , if you have
anything past explorer.exe on this line, it is part of the virus.
Therefore delete it. An example of what it should look like:
[boot] oemfonts.fon=vgaoem.fon shell=Explorer.exe system.drv=system.drvAn example of what the infected system.ini file might look like: [boot] oemfonts.fon=vgaoem.fon shell=Explorer.exe extrafile.exe system.drv=system.drv |
%SystemRoot%\win.ini (C:\windows\win.ini) ****NOTE**** |
Under the [windows] section look for run= ,
this should be blank if you are infected you will probably see a file name
there, delete it. An example of what this portion should look like:[windows] load= run= NullPort=NoneAn example of what an infected win.ini file would look like: [windows] load= run=extrafile.exe NullPort=None |
Registry Keys to check: | String Value: |
Before editing the registry always remember to back up the registry | |
HKEY_LOCAL_MACHINE\Software\Microsoft\ ****NOTE****PAY ATTENTION and write down the file name that is appended to the shell
data, for you might need it later. |
Look for the value that says Shell double click
on the value. Examine the value data if there is anything other than
explorer.exe |
HKEY_Local_Machine\SOFTWARE\Microsoft\ |
Examine this key and it's values for the mysterious file name. If so delete it. |