Calling all IT boys out there ...!

 

I just updated my McAffee virus definition files and wouldn't you know it, it found an infected file. The file in question, SYSOCMGQ.EXE was allegedly infected with the W32/MAGISTR.DAM3 virus and was "untreatable" and was therefore deleted off my system. Now, when I start the PC up a warning screen pops up saying it can't find this file and if I would be so kind as to change the reference to it in the WIN.INI file. In the file the .exe is referenced to in the [WINDOWS] section and reads: RUN=SYSOCMGQ.EXE. Before I delete this line and could someone tell me what this file is actually used for and if I need to replace it with a clean copy?

 

Your wisdom is, as always, greatly appreciated.

 

Cheers guys!

 

Danny

Stolen from the Sophos web site :-

 

W32/Magistr-B is a variant of W32/Magistr-A, a memory resident polymorphic Windows 32 executable file virus which spreads by infecting files, and via email.

 

The virus terminates ZoneAlarm before connecting to the Internet. Then it searches the user's address book, mailboxes and other files present on the computer for email addresses. The virus specifically targets addresses from Outlook Express, Netscape Messenger, Internet Mail and News and Eudora. It then sends itself to these email addresses using its own SMTP client.

 

The email message it sends has a randomly generated subject and body text. These fields are generated from the contents of document and text files found on the user's computer. As a result they may contain confidential information. The virus sends itself as an email attachment, the name of which is either the original name of the infected file or a randomly generated name. It uses one of the following extensions: COM, BAT, PIF and EXE. Sometimes it also attaches additional GIF, DOC or TXT files to the email.

 

W32/Magistr-B infects Windows EXE and SCR files on the local machine and in the local network. It deletes all NTZ files while it is searching for files. The virus makes sure that it is automatically run when the computer is restarted, randomly selecting one of the following three methods:

 

Adding the following entry to the win.ini file:

[WINDOWS]

run=infectedfilename

 

Adding the following entry to the system.ini file:

[boot]

shell=explorer.exe infectedfilename

 

Setting the following registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\

Run\infectedfile =

 

It also modifies the appropriate INI file on other network computers so that they will run the virus when they are restarted.

 

Depending on the amount of time elapsed since the computer was first infected, and some other internal counters, the following payloads can be activated:

 

Overwriting win.com and ntldr with code that will overwrite the master boot sector of the hard disk with garbage next time the computer is restarted.

Overwriting all files with the string "YOUARESHIT".

Displaying the message

"Another haughty bloodsucker.......

YOU THINK YOU ARE GOD,

BUT YOU ARE ONLY A CHUNK OF SHIT".

Overwriting (under Win9x) the master boot sector of the hard disk with garbage so the computer won't boot again.

Making Desktop icons appear to "run away" from the mouse cursor.

Note: Because the virus can spread itself using the .BAT extension, Sophos technical support recommends users with version 3.48 or earlier add BAT to the list of executable file extensions which Sophos Anti-Virus scans. Instructions on how to do this are contained in the How to add extensions to the executable files list FAQ.

 

 

I know that a virus can be a nightmare but the idea of making desktop icons run away from the mouse is brilliant !

 

I know of a virus that brings up a question box bit like the "Do you wish to reboot now YES NO"

But is says, "Do you have a small dick?" YES NO

 

But when you try to click on the YES the window keeps moving away. The only way to get rid of it is to click NO. Clicking NO causes MS Express send an email to every on in your address book sayinh XXXXX has a small dick. Hehehehe. Cruel

 

Stuart

 

 

------------------

Aztec Red

UK 91

Manual TT

Thanks Andy - very usefull.

 

Danny

Run x86 Solaris or get a Mac...job done!

 

I just read what I just typed. I got it the wrong way round. YOu knew what I meant.

Its this pot man.!!!!

 

Stuart

 

------------------

Aztec Red

UK 91

Manual TT

hehe, the small dick thing is funny, my m8 James Wilson created it, cant beat a good laugh