SWMAGISB -------- Version 1.00, December 2001 www.sophos.com 1. Introduction 2. Disconnecting from the network 3. Finding out the computer name 4. Making the SWMAGISB floppy disk 5. Preparing to run SWMAGISB 6. Running SWMAGISB 7. After running SWMAGISB 8. Removing the registry and INI file changes 9. Checking other computers on your network 10. Additional SWMAGISB options 11. For further assistance 1. Introduction --------------- SWMAGISB is a utility for disinfecting the W32/Magistr-B virus. This virus infects most 32-bit Windows platforms (Windows 95, 98, Me, NT, 2000 and XP). It can spread by copying itself across networks and by sending out infected emails. It ensures that it is run when an infected computer is restarted by adding an entry to the win.ini or system.ini file, or by setting a registry key. It also modifies the appropriate INI file on other network computers so that they will run the virus when they are restarted. It deletes files and may overwrite the master boot sector. For details see: http://www.sophos.com/virusinfo/analyses/w32magistrb.html The tool these notes refer to can be found at http://www.sophos.com/downloads/magibsfx.exe Read through these notes before starting to disinfect your computer(s). 2. Disconnecting from the network --------------------------------- Sophos recommends that you disconnect infected computers from the network before proceeding. This simple measure will prevent the virus from spreading any further while you are getting ready to clean your computer. 3. Finding out the computer name -------------------------------- W32/Magistr-B encrypts some infected files using the name of the infected computer as a key. You should find out the name of your computer before starting disinfection. a) Windows 95, Windows 98, Windows Me and Windows NT On the Windows desktop right-click the Network Neighbourhood icon (My Network Places in Windows Me) then click Properties in the drop-down menu. In the Network dialog, select the Identification tab then make a note of the computer name, if it exists. b) Windows 2000 and Windows XP On the Windows desktop right-click the My Computer icon then click Properties in the drop-down menu. In the System Properties dialog, select the Network Identification tab then make a note of the computer name, if it exists. 4. Making the SWMAGISB floppy disk ---------------------------------- On an uninfected computer, get MAGIBSFX.EXE from the \tools\utils directory on the Sophos CD or download it from http://www.sophos.com/tools/magibsfx.exe and copy it to floppy disk. Write-protect the floppy disk. The self-extracting archive magibsfx.exe contains SWMAGISB and these instructions. 5. Preparing to run SWMAGISB ---------------------------- Before running SWMAGISB, ensure that the virus is not active on your computer by following the instructions below. Choose the appropriate steps for your operating system. If you have not already done so, you should disconnect any infected computers from the network. a) On Windows 95/98 and FAT-based systems Restart the computer in MS-DOS mode. This virus is a 32-bit program and cannot survive in 16-bit DOS mode. Note that starting a Command Prompt (a DOS window) is not enough. Go to the Start menu and select Shut Down. Choose the option "Restart the computer in DOS mode". This disables the virus and provides a safe environment for disinfection. If you have a number of affected Windows 95/98 computers, restart them all in MS-DOS mode immediately. b) On Windows Me This version of Windows does not allow you to exit directly into MS-DOS mode. You must create a startup disk to boot from. At the Windows taskbar, select Start|Settings|Control Panel. Click on 'Add/Remove Programs'. Select the 'Startup Disk' tab and click the 'Create Disk' button. When you have created the startup disk, write-protect it. Place it in the A: drive and reboot to a command prompt. This disables the virus and provides a safe environment for disinfection. If you have a number of affected Windows Me computers, restart them all in MS-DOS mode immediately. c) On Windows NT, Windows 2000 and Windows XP Log off the current user and logon as local administrator. W32/Magistr-B will not work if EXPLORER.EXE is not running, so the virus can be deactivated by shutting down the Explorer process. You must also disable InterCheck before running SWMAGISB as otherwise it will stop SWMAGISB from opening and cleaning infected files. Switch off InterCheck first. At the Windows taskbar, select Start|Programs|Sophos Anti-Virus|Sophos Anti-Virus. Click on the 'InterCheck Client' tab and press the 'STOP' button. Open a command prompt. At the Windows taskbar, select Start|Run. In the dialog box that appears, type "CMD.EXE" (without the quotes). Press Enter. A command prompt window appears. Press the Ctrl, Alt and Del keys at the same time. Click the 'Task Manager' button and select the 'Processes' tab. Highlight the entry for 'Explorer.exe' and click 'End Process'. The entire Windows desktop (including the Taskbar) should disappear. You can now run SWMAGISB from the command prompt you just opened. 6. Running SWMAGISB ------------------- Insert the MAGIBSFX.EXE floppy disk. At the command prompt (see 3a, 3b or 3c), type C: CD \ MD SOPHTEMP CD SOPHTEMP A:MAGIBSFX This will unpack the SWMAGISB program files into the directory C:\SOPHTEMP. a) Computers without a name If your computer did not have a name (see section 2), to clean files on the C: drive type the following: SWMAGISB -LF=LOGC.TXT C: LOGC.TXT is the name of the C: drive log. The log will be used when you reverse the registry or INI file changes. b) Computers with a name If your computer had a name (see section 2), to clean files on the C: drive type the following: SWMAGISB -M= -LF=LOGC.TXT C: where is the name of your computer and LOGC.TXT is the name of the C: drive log, e.g. SWMAGISB -M=MYPC -LF=LOGC.TXT C:. The log will be used when you reverse the registry or INI file changes. Note: supplying an incorrect name will cause the file to be incorrectly disinfected leaving it in a safe but unusable state. If you have more than one hard drive, clean it after you have cleaned the C: drive. See below. You will see the following SWMAGISB -- PE file virus cleaner Copyright (c) 2001 Sophos Plc, www.sophos.com Version 1.11 Press Esc to quit Counting directories ... Cleanup will start. When infected files are found, you will be asked if you want to disinfect >>> Virus 'W32/Magistr-B' found in file C:\SOME\FILE.EXE Proceed with disinfection (Y/N) ? Note down the name of the file (if you are not making a log). Press 'Y' to try to clean the file. You should see Disinfection successful Note that a virus which infects a file is committing an unauthorised, illegal act and may damage the file. Such damage cannot be reversed automatically without a copy of the original file. SWMAGISB cannot guarantee to disinfect all files. In such cases, you will see Disinfection unsuccessful IMPORTANT: ensure that you delete all files where disinfection was unsuccessful. These files can be restored from backup or original media. Now clean any other hard drives, e.g.: SWMAGISB -M= -LF=LOGD.TXT D: 7. After running SWMAGISB ------------------------- a) Checking removal At the end of the run, SWMAGISB will produce a summary like this X of Y files were infected. Z files have been successfully disinfected. Run SWMAGISB again to recheck the disk. Press any key to continue... Note that if Z (the number of files cleaned) is less than X (the number of infected files found) then infected files remain on the disk. As mentioned above, these should be deleted. If infected files are found in System Restore they should be removed by purging System Restore (see below). When SWMAGISB has finished, and you have deleted all files which could not be disinfected, you can restart Windows. b) Restarting Windows On Windows 95/98/Me simply reboot and Windows will restart. On Windows NT, Windows 2000 and Windows XP you may not want to reboot (for example, if the computer is a server). Instead you can just type the command EXPLORER in the command window. This will restart the Windows desktop and taskbar. Restart InterCheck in order to restore active protection. At the Windows taskbar, select Start|Programs|Sophos Anti-Virus|Sophos Anti-Virus. Click on the 'InterCheck Client' tab and press the 'GO' button. c) Purging system restore Users of Windows Me or Windows XP should purge the contents of System Restore to remove any backed up copies of infected files. To do this: Right-Click the 'My Computer' icon on the desktop, select 'Properties' and then choose 'Performance'. Click 'File System' and then click the 'Troubleshooting' tab. Click to select the 'Disable System Restore' check box and click 'Apply'. Then click to clear the 'Disable System Restore' check box and click 'OK'. Restart the computer. The contents of your System Restore folder will be erased (you will not lose any of your ordinary data). Scan your computer with Sophos Anti-Virus to ensure that the virus has gone. 8. Removing the registry and INI file changes --------------------------------------------- W32/Magistr-B ensures that it is run when an infected computer is restarted by adding an entry to the win.ini or system.ini file, or by setting a registry key. The file it uses will be one of the infected files listed in LOGC.TXT in the SOPHTEMP folder (or in the list you made by hand). Double-click on LOGC.TXT to open it in Notepad or Wordpad and search for the word 'virus' to find the names of the infected files. You can leave it open for searching while you edit the registry and INI files. a) Removing the registry entry The virus may create a registry key to make it automatically run when Windows is restarted. Provided the file it refers to has been disinfected, it is safe to start Windows again with this entry still present. To remove this entry: At the Windows taskbar, select Start|Run. Type in "Regedit" and press return. The registry editor will open. Before you edit the registry, it is recommended you make a backup. To do this, in the Registry menu, click on Export Registry File, in Export Range select All, then save your registry as Backup. Locate the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\infectedfile where infectedfile is one of the infected files. Delete this reference. You should now close Registry Editor and restart your computer. b) Editing win.ini and system.ini The virus can also put entries into the 'win.ini' and 'system.ini' files to run itself when the computer restarts. These need to be removed manually. Both win.in and system.ini are in the Windows folder. Edit them with Notepad. In both cases, just remove the 'infectedfile.exe' part, where that is the name of an infected executable file on your system. In win.ini: [windows] ... run=infectedfile.exe In system.ini: [boot] ... shell=explorer.exe infectedfile.exe Restart your computer. N.B. If win.ini and system.ini are not visible go to Start|Settings|Control Panel|Folder Options and select the View tab. Deselect 'Hide file extensions for known file types' and select 'Show hidden files and folders'. 9. Checking other computers on your network ------------------------------------------- You should check any other computers on your network for infections and for the above changes to their win.ini and system.ini files. 10. Additional SWMAGISB options ------------------------------- SWMAGISB can be run without the -M= option, however encrypted files will be left untreated. In these cases W32/Magistr-B uses the name of the computer on which the file was infected as part of its infection process. If SWMAGISB is asked to disinfect such a file when the -M= option is not used it will display the message This file is machine name encrypted, and cannot be disinfected unless you start the disinfector again: use the -M= option to specify this PC's machine name. File could not be disinfected or is already clean. To supply the computer name to SWMAGISB use the -M= command line option. SWMAGISB -M=NAMEHERE C: Note: supplying an incorrect name will cause the file to be incorrectly disinfected leaving it in a safe but unusable state. If you do not want SWMAGISB to request confirmation before attempting to disinfect each file, add the -NOC (for 'no confirmation') option when you run the program SWMAGISB -NOC C: If you want to produce a report recording the actions taken by SWMAGISB, add -LF=filename to write a log file SWMAGISB -LF=LOGC.TXT C: If you want more detailed information in the disinfection log add the -V (verbose) qualifier when executing the program SWMAGISB -LF=LOGC.TXT -V C: If you do not want more detailed information in the disinfection log add the -NV (not verbose) qualifier when executing the program. (This is the default option). If you want a temporary backup of the infected files while they are being disinfected add the -T (Temporary) qualifier when executing the program SWMAGISB -T C: If you do not want a temporary backup of the infected files while they are being disinfected add the -NT (no temporary) qualifier when executing the program. (This is the default option). Note: the log files may become very large, particularly on servers containing thousands of files. 11. For further assistance -------------------------- If any infected computers will not reboot, contact Sophos technical support. For further assistance, please contact Sophos technical support (support@sophos.com). 7 April 2003 ----------------