Скачать с ютуб Email-Worm.Win32.Magistr.a в хорошем качестве

Email-Worm.Win32.Magistr.a

When you combine something proliferating as ILOVEYOU and something destructive as CIH, this is the result. If you are in a hurry, here are some parts you can skip to: 14:45 Icons running away from the cursor payload 16:00, 27:50 What mail sent by the worm looks like 23:06 Very destructive payload 26:05 What some overwritten files look like and a restart 30:45 "Copyright message" inside the decrypted virus Turn down your volume at 19:08, 21:45, and 27:14 as the PC beeps can be loud Bugs in Magistr When Magistr imports the function it needs, it will walk through an astonishing number of functions (3,000,000,000 functions compared to the 700 exported by KERNEL32.DLL). This is because it compares the address of the NumberOfNames entry in the export table (which is that very large number) to the number of functions it has thus far encountered. This does not seem to have cause a problem because Magistr does find the functions it needs. String comparison functions will return a match even if the last character is different. The polymorphic generator may generate code that does not return to the host properly. Changes from the original sample Instead of comparing 100 contacts to activate payloads, this sample will compare 12. When the virus encounters a sleep function, it will sleep for 1 second. The virus will use the HELO SMTP command with HELO [network name] not HELO [SMTP server] because Mercury does not accept it. Description of Magistr For a more thorough analysis please read Peter Ferrie's Magisterium Abraxas: http://vxheaven.org/lib/apf38.html Magistr becomes resident by running a thread under explorer.exe's process. The worm gets the user's e-mail info as well as contacts stored in .DBX and .WAB files. If that succeeds, then the thread will always run (infinite loop) unless explorer.exe is terminated. After that the worm will test for internet connection and then send mail to 4 recipients at a time. It composes the subject and body from random .DOC/.TXT files stored on the user's drive. It will also attach an infected file and with a 20% chance will attach the .DOC/.TXT file from where the virus composed the subject/body. When finished, Magistr will find up to 20 files to infect and adds itself 80% of the time to the RUN key. It will also infect shared networked resources with full access. Finally the worm tests for payloads. If the worm sends mail to more than 100 recipients and a month has passed and 3 matches from a list of 55 phrases in a file for 3 files are found, the virus will delete files, overwrite others with "YOUARESHIT", and flash the BIOS only under Win9x. If the worm sends mail to more than 100 recipients and two months have passed, then on odd days icons will be running away from the cursor. After three months, regardless of the amount of recipients the worm sent mail to, the worm will delete files found by its search routines.