This evening I received a very strange e-mail from a friend with a zip attachement:

Subj: wishing to procure
Date: 1/14/02 7:20:07 PM Central Standard Time
From: (I've removed the parties e-mail to protect privacy)

File: SULFNBK.zip (43476 bytes)
DL Time (TCP/IP): < 1 minute

I.M.A., for the purpose of an overseas medical mission project, will completed and return the “Project Information” and “Order” Forms 30 days in advance of the scheduled shipping date.

USE OF I.M.A. PRODUCTS:

Applicant guarantees that all medicines and medical supplies received from I.M.A. will be altogether used outside the United States and be freely distributed to treat persons without regard to race, creed, sex, national origin, or political affiliation.
-------------------------------------------------------------------------------

As is my habit I scanned the zip file with nortons and it was positive for the W32.Magistr.24876@mm virus. I deleted the zip file, ran a complete check and my system is clean. There's an exhaustive definition of this virus at the Symantec site http://securityresponse.symantec.com/avcenter/venc/data/w32.magistr.24876@mm.html

Here's what really made me glad that I have adopted a few SOP's in dealing with e-mail attachements:

This payload is similar to that of W32.Kriz, and it does the following:
Deletes the infected file
Erases CMOS (Windows 9x/Me only)
Erases the Flash BIOS (Windows 9x/Me only)
Overwrites every 25th file with the text YOUARE**** as many times as it will fit in the file
Deletes every other file

Overwrites a sector of the first hard disk

This payload is repeated infinitely.

If the computer has been infected for two months, then on odd days the desktop icons are repositioned whenever the mouse pointer approaches, giving the impression that the icons are "running away" from the mouse:



If the computer has been infected for three months, then the infected file is deleted.

For files that are infected by W32.Magistr.24876@mm, the entry point address remains the same, but up to 512 bytes of garbage code is placed at that location. This garbage code transfers control to the last section. A polymorphic encrypted body is appended to the last section. The virus is hostile to debuggers and will crash the computer if a debugger is found.


THIS IS ONE NASTY, NASTY VIRUS!!!!!!!!

This virus is a hoax. I will find the web page and post it so you all can read.

I couldn't find the web page but here is what the web page said.


SULFNBK.EXE
Alias:
Category: Hoax
Type: Hoax
Wild:
Destructiveness:
Pervasiveness:


CHARACTERISTICS
As well as portraying all the standard hoax features, (warns of a dire 'danger' then suggests that the receiver should send it onto all of their friends to minimize the damage that the 'virus' may cause) this E-mail hoax advises the user to delete the file SULFNBK.EXE which it states is a virus. For greater impact and added realism, this hoax mentions that the information contained within has been garnered from a competitor's anti-virus site.

Two things should be noted about the file SULFNBK.EXE.

First, it is a standard utility program included with some versions of Windows and normally installed in the 'Command' subdirectory of the Windows installation directory. It has a somewhat odd icon that often leads users to be suspicious of it, and this is not helped by the fact that the EXE file does not have an extended 'properties sheet' if right-clicked in Explorer and its 'Properties' viewed.

Second, because of its location and size and being a PE-style EXE, SULFNBK.EXE is commonly included as an attachment in email messages sent by the Win32.Magistr virus. Thus, if you receive a copy of SULFNBK.EXE as an email attachment, that could well be an infected copy of the file and an indication that the sender is infected with Win32.Magitsr.The text on this page is part of a hoax and is not a legitimate warning or offer. We present it here to help you identify any hoax messages that you receive. Please note that hoaxes often have several variations in circulation, so you may receive a hoax message that is similar, but not identical to the message below. This particular hoax may also appear in Spanish.

"I found a virus in my computer that was sent to me by somebody. The virus will activate itself on the 1st of JUNE and according to McaFee web site will destroy every single file in the hard drive.
If you have the virus it should be in your computer by now.
The file name is SULFNBK.EXE. You can find it in the Windows explorer and then eliminate the file.
(Do not forget to eliminate it from the Trash as well!)

Please pass this information to everyone you know."

OH COME ON
Think about it; Erases the BIOS and CMOS? Who are you kidding.

What Michael posted is correct.

The Magistr virus can spread using a corrupted version of SULFNBK.EXE.

This is how the hoax originated. They believed that the file, SULFNBK.exe, if found on a PC, was a virus.

But, trust me, if you see the file arrive as an attachment, and you open it without an antivirus running, your PC will be very, very sick!!

MICHAEL:

You want to tell your friend that his PC is infected. As well, he should be telling EVERYONE in his name and address book, since they too will have received an email, with an infected attachment.

IMan74:
Some reading material.
http://www.avp.ch/avpve/worms/email/magistr.stm
http://vil.mcafee.com/dispVirus.asp?virus_k=99040&

Hey Iman74!
There are some virus's around that can and will destroy your motherboard.
I know, because I caught one of the things and it managed to destory mine!
It was about two years ago. The virus attempts to wipe your hard drive and if it fails, it then attempts to wipe your FLASH BIOS. With mine, it managed it and I had to go out the next day and replace the mobo. :(

Do you like a copy of W32CIH.EXE then execute it on the 26th - your bios hard drive is gone - you are there for a new computer... What you say??

FRED what was that board of yours which got killed - do you know ? any indiactions = remeber the BIOS ? AWARD OR AMI for both of them it's possible to rewrite the bios even it has been distroyed by SPACEFILLER W32CIH..
let me know give you comlpete instructions - takes a minute to do..

As for MAGISTR there is a small Executable on the Symantec website free for download - can be run on nay windows will take the beast right at it's feet.. if you don't find it let me know..got it here..

Hi Hpro

I think it was a variation of W32CIH (Can't remember)???

It was a Gigabyte board, but I replaced it immediately. I didn't have the time to mess about :(

I remember now!
It tries to wipe your BIOS and if it fails, it wipes your C drive. I was lucky. I lost the board......I could have lost the drive.
I also remember that I was actually watching the machine when the clock changed and the virus ran....it was amazing! Talk about a blue screen of death! This was the black screen of death!

If you still have the board -
download bios form GIGA website..ou can see the model onboard - GIGA uses big letters screening on the board between the ISA or PCI slots.. depends on model..

then do followings..
1.Give the board CPU RAM ..
2.Connect floppy drive - bootable system on it plus the *.bin file and AWARD flash.exe
3.Stick a ISA VGA into the ISA slots..
4.Connect the monitor -
5. Fire up the comp - it will show AWARD BOOTBLOCK VERSION *.**
then it reads the floppy - and ends up at drive A:\
Type AWD*** and enter - this is the name of the AWARDFLASH programm..
Let the program load and enter the file *.Bin name -- when asked for backup Skip it ,, now it will start programming when finished then remove floppy and restart.. done..

Fred if you are talking you about W32CIH - you are mistaken at one point - you are lucky that it didn't do both - usually it destroys both of them first the hard drive - will write 4 partitions on it - no problems I have a program and your hard drive will have the data back within 5 minutes - but you still need to kill the virus -there is also a program for this called SFSCAN from dos prompt as the virus only infects 32bit executables..You will not even need a clean floppy to kill the beast jsut run it from the prompt and it will take care of it.. the program was written by McAfee - the only smart thing of them..

This if the VIRUS WAS EXECUTED on the 26th April at 9.29 Am only any other 26th or other time on 26th April it will choose either one of them..

Anyone - I'm online on IRC - readt he GD for how to get there.. Channel #pc-mech

I spoke to the person that sent me the virus (a co worker no less), and she stated that last week everytime she tried to click on an icon on her desktop it would move away from the pointer. So, she's had this on her system for quite some time (2 months?). She said someone fixed the icon problem a few days ago (????).

Yes, the Sulfnbk.exe WAS a hoax.......this I assure you is not! All the info I posted was directly from SYMANTECS WEB SITE.

It's back to the phone now to call my friend and explain how she might go about deleting the virus. Glug!

There are apperently several varieties of the magistr virus. My brother-in-law managed to get the "chase your icons all over the desktop" variety twice. There is another variety that supposedly wipes your HDD. I haven't seen it yet, and not that we made him install NAV, hopefully I never will, lol.