昨天听说w32codecs有毒，看看这个毒会不会起作用啊

[snonow]

昨天听说w32codecs有毒，不过找不到这个贴发哪里了，
今天我查了一下，还真是的！

一个是我以前官方源里安装的，显示有W32／Magistr.a@MM
另一个是从Mplayer的官方下的，也是同一个毒，倒底是怎么回事啊？

不会有什么危害吧？删了会不会不能播什么文件呢？

[oneleaf]

且不说是误报，就算不是，在Linux下运行Windows程序，不借助wine，你试试有多困难，何况还是病毒？哈，基本一点危害的可能性都没有。

[gnix_oag]

那我的 xp 怎么有哪么多同样的毒

也是 W32／Magistr.a@MM

[oneleaf]

推荐windows下使用卡巴斯基杀毒试试。

[czczcz]

昨天听说w32codecs有毒，不过找不到这个贴发哪里了，
今天我查了一下，还真是的！

一个是我以前官方源里安装的，显示有W32／Magistr.a@MM
另一个是从Mplayer的官方下的，也是同一个毒，倒底是怎么回事啊？

不会有什么危害吧？删了会不会不能播什么文件呢？

请问：这个图形界面的杀毒软件是怎么安装的啊？

[eexpress]

看到标题。然后google，就可以找到了。

要是有毒，这边可以把他瓮死的。

[steaven]

LINUX下杀毒软件还没有达到WINDOWS下的发达地步，所以你用的那个东东它是碰到.DLL文件就说有毒,不用理它,

[gnix_oag]

不是病毒，删除后windows 用不了

[lxyscience]

不要大意了，病毒就是病毒.

[iblicf]

W32/Magistr.a@MM

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases

* I-Worm.Magistr (AVP)

* Magistr (F-Secure)

* PE_MAGISTR.A (Trend)

* W32.Magistr.24876@mm (Symantec)

* W32/Disemboweler (Panda)

* W32/Magistr-a (Sophos)

* W32/Magistr.a.dam1

* W32/Magistr.dam

* W32/Magistr.dam2

* W32/Magistr@MM

Characteristics
Characteristics -

W32/Magistr@MM is a combination of a files infector virus and e-mail worm.
- The viral code infects 32 bit PE type files (.exe) in the WINDOWS directory and subdirectories.
- It uses mass mailing techniques to send itself to email addresses stored in several places.
- It installs itself to run at each system startup.

Five minutes after the virus is run, it attempts a mailing routine. Email addresses are gathered from the Windows Address Book, Outlook Express mailboxes, and Netscape mailboxes (addresses found in email messages within existing mailboxes are gathered), and these file locations and addresses are saved to a hidden .DAT file somewhere on the hard disk (varies). The messages sent by the worm contain varying subject headings, body text, and attachments. The body of the message is derived from the contents of other files on the victim's computer. It may send more than one attachment and may include non .EXE or non-viral files along with an infectious .EXE file. The second letter of the e-mail address in the From: field is often changed by the virus. As a result, replying to the message will fail due to the invalid address.

The virus proceeds by infecting 32 bit PE (Portable Executable) type .EXE files found in the WINDOWS SYSTEM directory and subdirectories. The viral code is encrypted, polymorphic, and uses anti-debugging techniques to make it difficult to detect. Email addresses have been seen encrypted in infected files. These addresses are believed to represent other users that have also been infected from the same point of origin.

In the decrypted body of the virus code, the following comments exist:

ARF! ARF! I GOT YOU! v1rus: Judges Disemboweler.
by: The Judges Disemboweler.
written in Malmo (Sweden)
W32/Magistr@MM has a payload routine that, on some systems, may result in cmos/bios info being erased as well as destroying sectors on the hard disk.
Symptoms
Symptoms -

- Icons on the desktop move when the mouse cursor passes over them.
- Increase in size of .EXE files (adds 24Kb or more).
- Infected files use a modified access date of the time of the infection.
- Presence of a newly created .DAT file containing email addresses (representing those users which were sent the virus).
-Entry in WIN.INI RUN=(App).
-Entry in Registry, run key value:
HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\AppName (varies)=C:\WINDOWS\SYSTEM\(App).EXE (varies).

Method of Infection
Method of Infection -

This worm arrives as an .EXE file with varying filenames. Executing this attachment infects your machine which is used to propagate the virus.

When first run, the virus may copy one .EXE file in the WINDOWS or WINDOWS SYSTEM directory using the same name with an altered last character.

For example, CFGWIZ32.EXE becomes CFGWIZ31.EXE, PSTORES.EXE becomes PSTORER.EXE, etc (this naming convention seems to be consistent where the last character of the filename is decreased by a factor of 1) .

This copy is then infected and a WIN.INI entry, or a registry run key value may be created, to execute this infected file upon system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
CFGWIZ31=C:\WINDOWS\SYSTEM\CFGWZ31.EXE

This copied executable infects other PE .EXE files in the SYSTEM directory and subdirectories, when run. It also infects over open network shares.

This virus will create a .DAT file on the local file system which contains strings of the files used to grab email address from (.dbx, .mbx, .wab), and also strings of email addresses which will be used as a target list. The .DAT file will be named after the machine name, but in an offset method. For instance, here is a corresponding list of letter equivalents used:

original letter corresponds to a -> y b -> x c -> w d -> v e -> u f -> t g -> s h -> r i -> q j -> p k -> o l -> n m -> m n -> l o -> k p -> j q -> i r -> h s -> g t -> f u -> e v -> d w -> c x -> b y -> a z -> z

Numbers are not affected. So a machine name of ABC-123 would have a .DAT file on the local system named YXW-123.DAT.

An additional item of note is that this worm often alters the REPLY-TO email address when mailing itself to others. In a similar fashion to the other name changes made by this virus, one letter of the address is incremented or decremented. Thus when attempting to contact the infected user to alert them, the message is often returned do to this address modification.
Removal -
Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations
Variants
Variants -

* W32/Magistr.dam3

[LONGSV]

这个帖怎么发“娱乐游戏”版块来了？

[kid2008]

我才装了，不会真有毒吧？咋办呢？

[skyx]

考古帖

[BigSnake.NET]

掘坟...