PLEASE DO NOT TOUCH/OPEN/WHATEVER ANY E MAILS YOU RECEIVE FROM ME!!!

I HAVE A VIRUS PROBLEM AND IT SEEMS TO BE MAILING EVERYONE IN MY ADDRESS BOOK. SORRY!!!!!!!

-- Anonymous, July 12, 2001

Answers

ANSWERS PAGE!!!!

-- Anonymous, July 12, 2001

Well , If you persist in downloading all the porn stuff, you have to take the consequences.

If we get an E mail from you , just deleting it should do the trick. .... yes?

-- Anonymous, July 12, 2001

yeah deleting it will do the trick....

Don't stress about it Gal, it's no big deal!....

-- Anonymous, July 12, 2001

Galaxy, ignore my reply to the e-mail! I've only just read this. Hope you get it sorted out.

-- Anonymous, July 12, 2001

Just did a search for this virus. If you wanna know more, click here.

-- Anonymous, July 12, 2001

... thanks Gal but you warned me too late :-(

-- Anonymous, July 12, 2001

What sort of sad, twisted, propellor-head geeks think up these things ? Bring back capital punishment, I say. :-)

-- Anonymous, July 12, 2001

I checked my mail before coming on here and because of the nature of the message, who it was from and the type of messages between us lately I opened the mail.

My machine said "you are about to delete all your modem software do you wish to continue?" I said no and deleted the message.

Is it too late?

-- Anonymous, July 12, 2001

BAD, BAD news; I've received a similar email from you now gus ! :-(

-- Anonymous, July 12, 2001

screacher, I couldn't open your link mate, I've heard from another friend that this virus is called Magistr.dam and it locks into your address book and other files and sends random letters, spreadsheets, emails and faxes.

Was that the gist of your link?

Thanks, Bud.

-- Anonymous, July 12, 2001

Oh dear - I`m really sorry folks! Please bear in mind that I didn`t invent the virus, and I am concerned that I am having such difficulty removing it via my completely up to date McAfee programmes.

The virus, according to McAfee is W32/Magistr@MM - and I think it originally started in Malmo. Not that that is much consolation.(:o(

-- Anonymous, July 12, 2001

Bud - I guess I may have priviledges to the Symantec website?? Anyway, I dunno whether this will format or not:
W32.Magistr.24876@mm Discovered on: March 13, 2001 Last Updated on: April 4, 2001 at 11:55:55 AM PDT Due to the increased number of submissions, SARC has updated the threat level of this virus from 3 to 4. W32.Magistr.24876@mm is a virus that has email worm capability. It is also network aware. It infects Windows Portable Executable (PE) files, with the exception of .dll system files, and sends email messages to addresses that it gathers from the Outlook/Outlook Express mail folders (.dbx, .mbx), the sent items file from Netscape, and Windows address books (.wab), which are used by mail clients such as Microsoft Outlook and Microsoft Outlook Express,. The email message may have up to two attachments, and it has a randomly generated subject line and message body. Also Known As: I-Worm.Magistr, PE_MAGISTR.A, W32.Magistr@mm Category: Virus, Worm Infection Length: varies Virus Definitions: March 13, 2001 Threat Assessment: Wild: High Damage: High Distribution: High Wild: Number of infections: 50 - 999 Number of sites: More than 10 Geographical distribution: Medium Threat containment: Moderate Removal: Moderate Damage: Payload: Large scale e-mailing: Uses email addresses from the Windows Address Book files and Outlook Express Sent Items folder. Causes system instability: Overwrites hard drives, erases CMOS, flashes the BIOS. Releases confidential info: It could send confidential Microsoft Word documents to others. Distribution: Subject of email: Randomly generated text that can be up to 60 characters long. Name of attachment: One randomly named infected executable and several randomly selected text or document files Target of infection: All Windows PE files that are not .dll files. Technical description: When a file that is infected by W32.Magistr.24876@mm is executed, it searches in memory for a readable, writable, initialized section inside the memory space of Explorer.exe. If one is found, a 110-byte routine is inserted into that area, and the TranslateMessage function is hooked to point to that routine. This code first appeared in W32.Dengue. When the inserted code gains control, a thread is created and the original TranslateMessage function is called. The thread waits for three minutes before activating. Then the virus obtains the name of the computer, converts it to a base64 string, and depending on the first character of the name, creates a file in either the \Windows folder, the \Program Files folder, or the root folder. This file contains certain information, such as the location of the email address books and the date of initial infection. Then it retrieves the current user's email name and address information from the registry (Outlook, Exchange, Internet Mail and News), or the Prefs.js file (Netscape). The virus keeps in its body a history of the 10 most recently infected users, and these names are visible in infected files when the virus is decrypted. After this, the virus searches for the Sent file in the Netscape folder, and for .wab, .mbx, and .dbx files in the \Windows and \Program Files folders. If an active Internet connection exists, the virus searches for up to five .doc and .txt files and chooses a random number of words from one of these files. These words are used to construct the subject and message body of the email message. Then the virus searches for up to 20 .exe and .scr files smaller than 128 KB, infects one of these files, attaches the infected file to the new message, and sends this message to up to 100 people from the address books. In addition there is a 20-percent chance that it will attach the file from which the subject and message body was taken, and an 80-percent chance that it will add the number 1 to the second character of the sender address. This last change prevents replies from being returned to you and possibly alerting you to the infection. After the mailing is done, the virus searches for up to 20 .exe and .scr files, and infect one of these files. Then there is a 25-percent chance, if the Windows directory is named one of the following: Winnt Win95 Win98 Windows that the virus will move the infected file into the \Windows folder and alter the file name slightly. Once the file is moved, a run= line is added to the Win.ini file to run the virus whenever the computer is started. In the other 75 percent of cases, the virus will create a registry subkey in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run The name of this subkey is the name of the file without a suffix, and the value is the complete file name of the infected file. The virus then searches all local hard drives and all shared folders on the network for up to 20 .exe and .scr files to infect, and add the run= line if the \Windows folder exists in that location. If the computer has been infected for one month and at least 100 people have been sent an infected file, and if at least three files contain at least three examples from the following list: sentences you sentences him to sentence you to ordered to prison convict , judge circuit judge trial judge found guilty find him guilty affirmed judgment of conviction verdict guilty plea trial court trial chamber sufficiency of proof sufficiency of the evidence proceedings against the accused habeas corpus jugement condamn trouvons coupable a rembourse sous astreinte aux entiers depens aux depens ayant delibere le present arret vu l'arret conformement a la loi execution provisoire rdonn audience publique a fait constater cadre de la procedure magistrad apelante recurso de apelaci pena de arresto y condeno mando y firmo calidad de denunciante costas procesales diligencias previas antecedentes de hecho hechos probados sentencia comparecer juzgando dictando la presente los autos en autos denuncia presentada then the virus will activate the first of its payloads. This payload is similar to that of W32.Kriz, and it does the following: Deletes the infected file Erases CMOS (Windows 9x/Me only) Erases the Flash BIOS (Windows 9x/Me only) Overwrites every 25th file with the text YOUARESHIT as many times as it will fit in the file Deletes every other file Displays the following message: Overwrites a sector of the first hard disk This payload is repeated infinitely. If the computer has been infected for two months, then on odd days the desktop icons are repositioned whenever the mouse pointer approaches, giving the impression that the icons are "running away" from the mouse: If the computer has been infected for three months, then the infected file is deleted. For files that are infected by W32.Magistr.24876@mm, the entry point address remains the same, but up to 512 bytes of garbage code is placed at that location. This garbage code transfers control to the last section. A polymorphic encrypted body is appended to the last section. The virus is hostile to debuggers and will crash the computer if a debugger is found. Removal instructions: To remove this worm: 1. Run LiveUpdate to make sure that you have the most recent virus definitions. 2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files. 3. If any files are detected as infected by W32.Magistr.24876@mm, choose Repair. NOTE: This virus contains bugs which will corrupt some files while attempting to infect them, as well as when the first payload activates. These files cannot be repaired; they must be restored from backup.

-- Anonymous, July 12, 2001

Sorry about the previous formatting. But I think you can et the gist of what it's saying. Despite Gav's feelings that it isn't too bad, the potential looks pretty bad in my eyes.

As ever, I always recommend you should virus check every attachment you receive. I know this can be a pain in the proverbial, but not so much as the pain caused by viruses. As a minimum, I always check .EXE files. If in doubt, bin them. Life goes on without opening these attachments.

-- Anonymous, July 12, 2001

Does it mean I can send emails to everyone in the company with an attachment saying YOUARESHIT and blame it on a virus? Brilliant.

-- Anonymous, July 12, 2001

By not too bad, I meant that from what i've heard it's very straightforward to get rid of....

-- Anonymous, July 12, 2001

Thank you for at least making me smile Scratchy!

-- Anonymous, July 12, 2001

Being a simple soul and knowing the provenance of the mail I attempted to open the attachment - for no other reason than that I was intrigued by the total gobledegook in the message itself. My Norton Anti-virus stopped me opening it and I then deleted it. Hope everything is now OK.

-- Anonymous, July 12, 2001

Norton seems to do a better job than McAfee then! I am still at a loss as to why McAfee didn`t do me the same favour - I keep my Virus Scan and ActiveShield up to date. In fact it notifies me at 8.30 ever morning if there are up-dates available. Last updates were on Tuesday - so I still don`t see why it didn`t catch this one coming in.

Used the on-line scan this afternoon (twice, no three times!) First time there were 18 infected files, which I finally managed to clean. Scanned again just to make sure - no infected files - phew! Still not feeling 100% confident, I switched my computer off when I was out. Came in later and switched it on again. Several new e mails from people asking me what I am sending them. Oh dear, thought I`d better scan again online - guess what - 21 infected files. Back to square one.

Now after being very brave and chatting online with McAfee technical support, I have a three page e mail full of instructions to `delete` the virus. Well, I will do my best.................:o(

If you don`t ever hear from me again, you will know that I have deleted myself completely........but only in a `cyber` sense! (:o|

-- Anonymous, July 12, 2001

I've got Norton system works 2001. It updates automatically when you're on line - you don't have to remember to do anything - which is useful for an empty heeded bugger like me.

-- Anonymous, July 12, 2001

...thanks Screach, I finally managed to access your link, I also have "Norton System Works" doing a good job for me, I hope! It's just that I opened Gal's attachment not gus's + I opened another one from a mate in South Africa, I suppose I'll only know if I've got the virus if people in my address book start getting mysterious attachments from me?

Thanks a bunch ;7)

-- Anonymous, July 12, 2001

Well, I'm obviously not one of your mates (or you aren't infected) cos I ain't caught nowt from you.

I have agreed not to disclose the contents of Gus' address book - for now ;-)

-- Anonymous, July 12, 2001

I opened the mail message but not the attachment - presumably that's what does the damage? The Uni has quite a good system where all .exe attachments are automatically changed to _exe so you have to make the effort to rename if you want to open them.

-- Anonymous, July 13, 2001

Again, might be preaching to the converted, for which, apologies, Gal, but maybe your anti virus engine needs to be updated.

You don't say whether or not it's both the .DAT file and the engine that are automatically updated. It may be just the .DAT file, which contains the details of new viruses.

-- Anonymous, July 13, 2001

I have a dodgy copy of Norton system works on one of my computers. Does it cost anything to get an update? Same question for McAfee, which is on my other computers.

-- Anonymous, July 13, 2001

After great expense to myself I am now clean, I hope.

How can it send itself to everyone and not leave the outgoing messages in the sent folder?

Does it only affect the names in your address list or will it send itself to an address that you have in a folder but not committed to the address book?

For some reason I have my own address in the address book, why did it not send a message to me?

Why am I not as smart as everyone else?

Why have we not bought anyone good?

-- Anonymous, July 13, 2001

I thought McAfee had bought out Norton and the virus scanners are one and the same.

-- Anonymous, July 13, 2001

Preach away Pit Bill - I need the help! Actually, I think I have removed it, but I need to do some more checking. As far as McAfee is concerned, I download the updates as and when and immediately the come in....I assume they will be sending me everything I require. But then again....who knows.

BTW Sorry Gus! (:o(

-- Anonymous, July 13, 2001

So he is!!

-- Anonymous, July 13, 2001

And how sorry is he?

I will have you know that I will hold you personally responsible for anything that happens to me and my computer in the foreseeable future. Galaxy2001 has destroyed what little credability I had.

I may come over and strangle your cats.

Well at least I might write naughty things on the bbs about you

-- Anonymous, July 13, 2001

We're allowed to bring copies of Norton Anti Virus from work - its zapped a few mails as they arrived.

Somebody said to me that as long as you only accept mails in plain text you can only be blasted by attachments - the ones I mentioned above were Activex in the HTML format mail.

I'll find out if I'm allowed to copy the CD and if so will offer it to anybody.

-- Anonymous, July 13, 2001

If you buy a proper copy of System Works (you can get them at the computer shows down here for half price) you get 12 months free automatic updates. After the first 12 months you have to pay something daft like £2.50 a year to get the updates.

-- Anonymous, July 13, 2001

Screacher, you must be a mate; I spotted the "Preach away" and your subsequent comment but, I don't think you're in my address book - hence no dodgy emails from me to you!?

-- Anonymous, July 14, 2001

Thanks Galaxy - it arrived last Thursday but I've not been able to check my emails till this morning. I was able to use my VD expertise (Virus Disposal) and got rid of the thing straight away so no harm was done. (OK team - anyone else got any bright ideas how to keep him quiet? - Ed)

Thanks Gal^^^%$%$£$%$))(**&^&&&&%%++++T&^&^&^$%$£

(Well done Galaxy - Ed)

-- Anonymous, July 16, 2001