Virus question soonest please

[griffinspc]

One of my staff recieved an email with no text and a garbled subject line with an attachment: faxnotif.exe

After all the warnings I've given she still opened the attachment which opened a large file with a lot of language that scared the hell out of me such as "destroymenu".

I contacted the sender's company since the email had that info in the header and since it came to her as a blind copy recipient suspecting the worst.

Their IS dept has shutdown their entire mail system due to this and one of their techs refered to the W32maestro virus.

Here's the problem, I can't find any reference to that name in the Symantec library or McAFEE. Have any of you encountered that name. I seem to recall it somewhere.

Quick answer appreciated.

------------------
"Finest Kind"

[Ed S]

Sorry, but not having any luck so far, hope someone else has better luck.

[Nick Grana]

Doesn't sound like the characteristics mentioned. http://www.lincolnu.edu/~oit/[email protected]
http://msdn.microsoft.com/library/ps...menus_88ad.htm
Scan with updated online or offline AV dats just to make sure. Good luck.

To All Virus Writers!! Off With Your Heads!!

------------------
"Try To Keep Your Head When Everyone Else Is Losing Theirs!!"

[Forest1]

I think their IS dept doesn't know a virus from a file system!

This is what I found when I did a search at Sophos:

Technical details

File systems supported FAT, NTFS, HPFS, CDFS, InterDrive NFS (FTP Software), Chameleon NFS (NetManage), Maestro NFS (Hummingbird Communications), Solstice NFS (Sun Microsystems).

------------------
There are no dumb questions only dumb looks....

If it doesn't work hit it with a hammer. If hitting it fixes it great! If it breaks, oh well it didn't work anyway.

[maxximilian]

Didn't find much. Any chance the Tech meant this one.

Magistr.24876 (also known as Win32.Magistr.24876, W32/Magistr@MM, PE_MAGISTR.A, W32.Magistr.24876 and I-Worm.Magistr)
Magistr is a polymorphic binary virus/worm targeting Windows 9x/ME/2K systems. It has been observed in the field mainly in Europe.

When run, this virus will make a copy of an EXE or SCR file in the system directory, give it a slightly different name and infect the copy. The virus then adds a reference to this infected file to the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

For example, under test conditions the virus copied "CFGWIZ32.EXE" to "CFGWIZ31.EXE" and added the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\CFGWIZ31="C:\WINDOWS\SYST EM\CFGWZ31.EXE"

It may also add the filename to the "run=" line in WIN.INI.

On the next reboot, the infected copy will infect other .EXE and .SCR files in the System directory and its subdirectories.

The virus searches for e-mail addresses in Outlook Express and Netscape mailboxes, as well as the Windows address book (.WAB) files. It stores information about the location of these mailboxes in a hidden file in the Windows directory with the extension ".dat". The rest of the filename is randomly generated based on the computer name.

Using its own SMTP code (by connecting to the mailserver directly), the virus then sends an e-mail message to all of the addresses it has found. The subject and body of the e-mail are taken from files on the infected machine's hard drive, and therefore may be any collection of ASCII characters. An infected file is attached to the e-mail.

Besides using SMTP to spread, Magistr also tries to connect to shares in the network neighborhood. If it can connect to a network drive, it will try to copy itself to the following directories and add a "run=" line to the WIN.INI file on the remote machine to infect it on the next startup:

WIN95
WIN98
WINDOWS
WINNT

The virus code contains a procedure to overwrite files on the hard drive as well as the CMOS data and Flash BIOS code. Whilst the CMOS data is recoverable, the loss of the Flash BIOS code could potentially render a computer unbootable.

Detection for this virus/worm has been added to the following virus engine/virus signature combination. Install this update or later to ensure protection:

CA Anti-Virus Product Engine/Signature
InoculateIT 4.x 22.00
InoculateIT 6.0 23.40.00
InoculateIT Personal Edition 5.2/1161
VET 10.2/1161


------------------
I crash...therefore I am.

[griffinspc]

Thanks folks. Like you I'm coming up empty. I thought it might be a varient of Hybris but who knows at this point. I sent it to SARC.

Forest1, I checked that site and it's interesting, in fact strange, and I agree that the company IS dept may be out to lunch regarding W32Maestro as a name but it's clear that every person in their mail system got a blind copy of this executable so something must be at play here.

------------------
"Finest Kind"

[DanC]

Go here: http://www.appliedmicroinc.com/

...and follow the ftp server links to here: http://www.appliedmicroinc.com/ftp/L...e/V70b/COMMON/

The file is available for download. Compare the file size. I don't think it's a virus but no clue why you would get it in your mail. Someone playing games?


------------------
"If you look at the sun without shielding your eyes, you'll go blind. If you look at the moon without covering your eyes, you'll become a poet." --Serge Bouchard

[griffinspc]

Nice find Dan. The file listed is 30k the file we have with the same name is 48k. I'm going to check further but you probably have hit the original file source.

I wonder if some disgruntled employee at the company wanted to do exactly what he or she did and that's to cause a shutdown of their operations by making everyone think an attached virus had gone out. If so it worked.

The jerk.

------------------
"Finest Kind"