W32.Magistr Removal Tool

SUMMARY

Symantec offers a tool, Fixmagi.com, to remove infections of all the known variants of W32.Magistr@mm.

What the tool does
The W32.Magistr Removal Tool does the following:

• Terminates all the processes associated with W32.Magistr.24876@mm or W32.Magistr.39921@mm. Or both, if they are running.
• Deletes the W32.Magistr.24876@mm or W32.Magistr.Magistr@mm services. Or both, if they are running.
• Removes the registry entries that W32.Magistr.24876@mm or W32.Magistr.39921@mm created, or both.
• Detects the W32.Magistr.24876@mm or W32.Magistr.39921@mm infections, or both, and repairs the files that can be repaired.
• Backs up any files that cannot be repaired.
• Displays the actions that took place and stores the description in a log file.

NOTE: The W32.Magistr repair removes the viral code from the file. It does not ensure that a file infected with W32.Magistr.24876@mm or W32.Magistr.39921@mm will run after the viral code is removed, because the viruses often corrupt the files.

Command-line switches that are available for this tool

Switch	Description
path	Used to specify the path to scan. This can include mapped drives. All the subfolders below the specified path are scanned.
/a	Scan all the drives except the floppy disk drives.
/log=[LOG PATH]	Used to specify the location and the name of the log file. The default log file is C:Magi.log.
/backup=[BACK DIR]	Used to specify where to move the unrepairable files. The default backup folder is C:Backup.

How to obtain and run the tool

NOTE: You must have administrative rights to run this tool on Windows NT 4.0, Windows 2000, or Windows XP.

1. Download Fixmagi.com from:
   
   http://securityresponse.symantec.com/avcenter/Fixmagi.com
   
   
2. Save the file to one of these locations, depending on your operating system:
   • Windows 95/98/Me: Save the file to the Windows desktop.
   • Windows 2000/XP: Save the file to the root of drive C.
     
     
3. To check the authenticity of the digital signature, refer to the next section, "The digital signature."
4. If you are running Windows Me or XP, then disable System Restore. Refer to the "System Restore option in Windows Me/XP" section later in this writeup for further details.
   
   Caution: If you are running Windows Me/XP, we strongly recommend that you do not skip this step.
   
   
5. Restart the computer in Safe mode. (All the 32-bit versions of Windows except Windows NT can be restarted in Safe mode.) For instructions, read the document, "How to start the computer in Safe Mode."
6. After you restart the computer in Safe mode, follow these steps to run the fix tool:
   1. Click Start, and then click Run. (The Run dialog box appears.)
   2. Type the following command, and then click OK:
      
      command
      
      If you see the warning message "If you run an MS-DOS program in safe mode, you risk corrupting the video display . . . ," click Yes.
      
      
   3. To run the tool, do one of the following, depending on the version of Windows that is running on the infected computer:
      • Windows 95/98/Me:
        Type the following, and then press Enter:
        
        fixmagi.com C:
        
        
      • Windows 2000/XP:
        Type the following commands (Press Enter after typing each line):
        
        cd
        fixmagi.com C:
        
        
   4. Read the warning message. Then press the letter Y when you see the prompt "Do you accept this condition?"
      
      The computer will be scanned for any trace of the Magistr infection. When the scan is complete, the fix tool creates a log file that states what was found. The log file is named C:Magi.log by default. Double-click it to view the contents.
      
      
7. The virus should now be disabled. Restart the computer in Normal mode.
8. After the computer is running in Normal mode, start Norton AntiVirus and run LiveUpdate until you have obtained the most recent virus definitions and any available program updates.
9. Run a full system scan.

The digital signature
Fixmagi.com is digitally signed. Symantec recommends that you use only copies of Fixmagi.com that you downloaded directly from the Symantec Security Response download site. To verify the authenticity of the digital signature, follow these steps:

1. Go to http://www.wmsoftware.com/free.htm.
2. Download and save the Chktrust.exe file into the same folder in which you saved Fixmagi.com (for example, C:WindowsDesktop).
3. Depending on your version of Windows, do one of the following:
   • Click Start, point to Programs, and then click MS-DOS Prompt.
   • Click Start, point to Programs, click Accessories, and then click Command Prompt.
   • Change to the folder that contains Fixmagi.com and Chktrust.exe, and then run the following command:
     
     chktrust -i fixmagi.com
     
     For example, if the file exists in the C:WindowsDesktop folder, run the following commands:
     
     cd windowsdesktop
     chktrust -i fixmagi.com
     
     Press Enter after you type each command. If the digital signature is valid, you will see the following message:
     
     Do you want to install and run "W32.Magistr Fix Tool" signed on 2/27/2002 5:29 PM and distributed by Symantec Corporation.
     
     NOTES:
     • The date and time that appear in this dialog box will be adjusted to your time zone if your computer is not set to the Pacific time zone.
     • If you observe Daylight Saving Time, the time that appears in the message will be exactly one hour earlier.
     • If this dialog box does not appear, there are two possible reasons:
       • The tool is not from Symantec. Unless you are sure that the tool is legitimate and that you downloaded it from the legitimate Symantec Web site, you should not run it.
       • The tool is from Symantec, and is legitimate. However, your operating system was previously instructed to always trust content from Symantec. For information on this and on how to view the confirmation dialog again, read the document, "How to restore the Publisher Authenticity confirmation dialog box."
         
         
4. Click Yes to close the dialog box.
5. Type exit,,and then press Enter to close the MS-DOS session.

System Restore option in Windows Me/XP
Users of Windows Me and Windows XP should temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file onto your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.


For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

• "How to disable or enable Windows Me System Restore"
• "How to turn off or turn on Windows XP System Restore"

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.