********************************************************************** FIX_MagistrB ver 2.02 10.29.2001 ********************************************************************** ************************************* I. Important Note II. Description III. Requirements IV. How to use ************************************* I Important Note: If during the scanning the Trojan was detected in WIN.COM or NTLDR, DO NOT RESTART WINDOWS. This Trojan portion of the virus will trash your hard drive after you restart. Please make backup copies of your WIN.INI and SYSTEM.INI before running this tool. This tool has been tested under the following platforms: Win 95 Win 98 (OSR2) Win ME Win 2000 (Svr/Pro) Win NT 4.0 (Svr/Cli) ************************************* II Description This tool is designed to clean a system that is infected with PE_MAGISTR.B. This tool has been designed to clean infections of the Trojan program in Windows NT/2000 and Windows 95/98 systems. The tool will clean the system in this order: o Check all files referred to in the following registry key: If the file contains a copy of PE_MAGISTR.B, the value in the registry is deleted. The file detected will not be erased yet. o Check the file referred to by "run" key in the [windows] section of WIN.INI. If the file contains a copy of PE_MAGISTR.B, the value of the key is deleted. Note that since sometimes there is no path specified in the key, the tool will automatically check for the file's existence in the current directory, Windows directory, and in the Systems directory. The file detected will not be erased yet. o Check the file referred to by "shell" key in the [Boot] section of SYSTEM.INI. If the file contains a copy of PE_MAGISTR.B, the value of the key is deleted. Note that since sometimes there is no path specified in the key, the tool will automatically check for the file's existence in the current directory, Windows directory, and in the Systems directory. The detected file will not be deleted yet. o For Win 9x/ME based computers, scan %windir%\WIN.COM. If it contains a copy of the Trojan program, then the user is notified of the presence of the Trojan. The Trojan file will not be deleted and the user will be asked to replace it with a copy from the installation package. o For Win NT/2K based computers, scan C:\NTLDR. If it contains a copy of the Trojan program, then the user is notified of the presence of the Trojan. The Trojan file will not be deleted and the user will be asked to replace it with a copy from the installation package. o Optionally, scan the file system, clean infected files and delete uncleanable infected files. The tool creates a log file named FIX_MagistrB.log located in the same directory where the fix tool is saved. It contains records for all the changes made by the tool to the system. ************************************* III Requirements This tool should be executed in a Windows-based operating system. ************************************* IV How to use Syntax: Fix_MagistrB.COM [options] Options: /Q - Silent or quiet mode. There will be no user intervention. Infected files will not be deleted unless /A is used. /S - Skip subdirectories. Scan current folder only. /A - AutoClean and Autodelete infected files. /* - Scan all files. Default is .EXE and .SCR only. /N - No Scan. Only cleans the registry and INI files. /? - Display this help message. - Path to be scanned. Default path is the current directory. If during the scanning the Trojan was detected in WIN.COM or NTLDR, DO NOT RESTART WINDOWS. This Trojan portion of the virus will trash your hard drive. For 9x/ME users, obtain a clean copy of WIN.COM and overwrite the one that was detected. For NT/2K, restore NTLDR from backup. ************************************* V. History Vwerion 2.02 - Bug fixes For more information regarding this virus, please visit our Web site at: http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName/PE_MAGISTR.B