Aliases: Trojan.MagicCall, Backdoor.MagicCall
Variants: W32/MagicCall.worm, W32/Favsin-A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 03 Sep 2002
Damage: Low

Characteristics: This virus has been observed by various computer security experts to attempt to make a connection to predetermined websites at an interval of approximately three minutes. The address of the remote servers contacted by the W32.MagicCall is hard coded into the virus. This malware will attempt to detect the presence of a floppy disk in the compromised machine and when found an executable file will be dropped into the media.

More details about W32.MagicCall

The transport mechanism used by the W32.MagicCall is the email messaging service or Peer to Peer file sharing networks to infect other vulnerable systems. On initial execution this malware will automatically load to the system memory and simultaneously create an executable file in the same directory folder of the files used by the operating system. After a minute the W32.MagicCall will create a new key value in the Windows Registry to make sure that it is automatically loaded at every boot up or restart process of the host machine. When the virus is active in system memory, its automatic repair feature remains in place. This means that if the Windows Registry key value of the W32.MagicCall is deleted it will be reinstalled by the virus.

After a minute of its initial execution the W32.MagicCall will scan for the presence of a floppy drive and if a writable floppy disk is present. When found it will begin to deliver its payload of creating an executable file in the floppy disk. The W32.MagicCall will begin to attempt contacting remote websites during the first five minutes of its execution. The same process of writing to the floppy disk and contacting remote websites is repeated in a seemingly endless loop during the first hour of execution. Several bytes of the floppy disk boot sector is overwritten by the W32.MagicCall.