Nume:W32/Mabezat
Descoperit pe data de:29/01/2008
Tip:File Infector
ITW:Da
Numar infectii raportate:Mediu
Potential de raspandire:Mediu spre ridicat
Potential de distrugere:Ridicat
Fisier static:Nu
Versiune motor de scanare:7.06.00.59

 General Metode de raspandire:
   • Functia autorun
   • Email
   • Infecteaza fisiere
   • Reteaua locala
   •  Symantec: W32.Mabezat.B!inf
   •  Mcafee: W32/Mabezat.a
   •  Kaspersky: Worm.Win32.Mabezat.b
   •  Sophos: W32/Mabezat-B
   •  VirusBuster: Worm.Mabezat.C
   •  Eset: Win32/Mabezat.A
   •  Bitdefender: Win32.Worm.Mabezat.Gen

Fisierul lucreaza interdependent cu urmatoarele componente:
   •  WORM/Mabezat.b


Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Creeaza fisiere
   • Creeaza fisiere malware
   • Infecteaza fisiere
   • Modificari in registri

 Detectie speciala  W32/Mabezat

Descriere:
O rutina de detectie generica, pentru a recunoaste caracteristicile comune variantelor unei familii.

Aceasta rutina speciala a fost creata pentru a detecta versiuni necunoscute si va fi imbunatatita continuu.


Istoric versiuni:
Urmatoarele versiuni ale motorului de scanare au fost create pentru a perfectiona detectia:

   •  7.06.00.59   ( 30/01/2008 )
   •  7.09.00.129   ( 26/03/2009 )
   •  7.09.01.00   ( 11/08/2009 )

 Fisiere Se copiaza in urmatoarea locatie:
   • %unitate disc%\zPharaoh.exe


Criptare:
Creeaza noi fisiere, care contin copii criptate ale fisierelor gasite.

Vizeaza urmatoarele tipuri de fisiere:
   • .hlp; .pdf; .html; .txt; .aspx.cs; .aspx; .psd; .mdf; .rtf; .htm;
      .ppt; .php; .asp; .pas; .h; .cpp; .xls; .doc; .rar; .zip; .mdb

Fisierul original este apoi sters.



Sterge urmatorul fisier:
   • %home%\Local Settings\Application Data\Microsoft\CD Burning\*.*



Sunt create fisierele:

%unitate disc%\autorun.inf Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • [AutoRun]
     ShellExecute=zPharaoh.exe
     shell\open\command=zPharaoh.exe
     shell\explore\command=zPharaoh.exe
     open=zPharaoh.exe
     

– %home%\Application Data\tazebama\zPharaoh.dat Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • tazebama trojan log file

– %SystemDrive%\Documents and Settings\tazebama.dl_ Fisierul este executat dupa ce a fost creat. Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: WORM/Mabezat.b

– %SystemDrive%\Documents and Settings\hook.dl_ Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: WORM/Mabezat.b

– %SystemDrive%\Start Menu\Programs\Startup\zPharoh.exe Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: WORM/Mabezat.b

– %SystemDrive%\Documents and Settings\tazebama.dll Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: TR/Spy.Agent.alv

 Registrii sistemului  Se sterge urmatoarea cheie din registri, inclusiv toate valorile si cheile subordnate:
   • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun



Urmatoarea cheie din registri este modificata:

Diverse setari in Explorer:
– HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
   Noua valoare:
   • "Hidden"=dword:00000002
   • "HideFileExt"=dword:00000001
   • "ShowSuperHidden"=dword:00000000

 Infectie de fisiere Tip de infector:

Embedded - Virusul isi insereaza codul malitios in unul sau mai multe locuri in interiorul fisierului infectat.


Metoda:

Virusul cauta in mod activ fisiere pe care sa le infecteze apoi isi termina executia.


Urmatoarele fisiere sunt infectate:

Dupa tipul fisierelor:
   • *.exe

Fisierele din oricare din directoarele de mai jos:
   • %PROGRAM FILES%\
   • %WINDIR%\

 Email Foloseste Microsoft Outlook pentru a trimite e-mail-uri. Iata caracterisiticle lui:


Catre:
– Adrese de email gasite pe sistem.


Formatul email-urilor:
 


Subiect: ABOUT PEOPLE WITH WHOM MATRIMONY IS PROHIBITED
Corp mesaj:
   • 1 : If a man commits adultery with a woman, then it is not permissible for him to marry her mother or her daughters.
     
     2 : If a woman out of sexual passion and with evil intent commits sexual intercourse with a man, then it is not permissible for the mother or daughters of that woman to merry that man. In the same way, the man who committed sexual intercourse with a woman, because prohibited for her mother and daughters.
     
     Download the attached article to read.
Atasament:
   • PROHIBITED_MATRIMONY.rar
 


Subiect: Windows secrets
Corp mesaj:
   • The attached article is on "how to make a folder password". If your are interested in this article download it, if you are not delete it.
Atasament:
   • FolderPW_CH(1).rar
 


Subiect: Canada immigration
Corp mesaj:
   • The debate is no longer about whether Canada should remain open to immigration. That debate became moot when Canadians realized that low birth rates and an aging population would eventually lead to a shrinking populace. Baby bonuses and other such incentives couldn't convince Canadians to have more kids, and demographic experts have forecasted that a Canada without immigration would pretty much disintegrate as a nation by 2050.
     Download the attached file to know about the required forms.
     The sender of this email got this article from our side and forwarded it to you.
Atasament:
   • IMM_Forms_E01.rar
 


Subiect: Viruses history
Corp mesaj:
   • Nowadays, the viruses have become one of the most dangerous systems to attack the computers. There are a lot of kinds of viruses. The common and popular kind is called "Trojan.Backdoor" which runs as a backdoor of the victim machine. This enables the virus to have a full remote administration of the victim machine. To read the full story about the viruses history since 1970 download the attached and decompress It by WinRAR.
     
     The sender has red the story and forwarded it to you.
Atasament:
   • virushistory.rar
 


Subiect: Web designer vacancy
Corp mesaj:
   • Fortunately, we have recently received your CV/Resume from moister web site
     and we found it matching the job requirements we offer.
     If your are interested in this job Please send us an updated CV showing the required items with the attached file that we sent.
     
     Thanks & Regards,
     Ajy Bokra
     Computer department.
     AjyBokra@webconsulting.com
Atasament:
   • JobDetails.rar
 


Subiect: MBA new vision
Corp mesaj:
   • MBA (Master of business administration ) one of the most required degree around the world. We offer a lot of books helping you to gain this degree. We attached one of our .doc word formatted books on "Marketing basics" to download.
     
     
     Our web site http://www.tazeunv.edu.cr/mba/info.htm
     
     Contacts:
     Human resource
     Ajy klaf
     AjyKolav@tazeunv.com
     
     The sender has added your name to be informed with our services.
Atasament:
   • Marketing.rar
 


Subiect: problem
Corp mesaj:
   • When I had opened your last email I received some errors have been saved in the attached file.
      Please inform me with those errors as soon as possible.
Atasament:
   • outlooklog.rar
 


Subiect: I forwarded the attached file again to evaluate your self.
Corp mesaj:
   • Unfortunately, I received unformatted email with an attached file from you. I couldn't understand what is behind the words.
     I wish you next time send me a readable file!.
Atasament:
   • notes.rar


Atasament:

Atasamentul este o arhiva ce contine chiar o copie malware.

 P2P  Pentru a infecta alte sisteme din retele Peer-to-Peer, efectueaza urmatarele operatii:  


Cauta urmatorul director:
   • %toate directoarele%

   Daca reuseste, sunt create urmatoarele fisiere:
   • Adjust Time.exe; AmericanOnLine.exe; Antenna2Net.exe;
      BrowseAllUsers.exe; CD Burner.exe; Crack_GoogleEarthPro.exe; Disk
      Defragmenter.exe; FaxSend.exe; FloppyDiskPartion.exe;
      GoogleToolbarNotifier.exe; HP_LaserJetAllInOneConfig.exe; IDE Conector
      P2P.exe; InstallMSN11Ar.exe; InstallMSN11En.exe; JetAudio dump.exe;
      KasperSky6.0 Key.doc.exe; Lock Folder.exe; LockWindowsPartition.exe;
      Make Windows Original.exe; MakeUrOwnFamilyTree.exe; Microsoft MSN.exe;
      Microsoft Windows Network.exe; msjavx86.exe; My documents .exe;
      NokiaN73Tools.exe; Office2003 CD-Key.doc.exe; Office2007
      Serial.txt.exe; PanasonicDVD_DigitalCam.exe; RadioTV.exe; Readme.doc
      .exe; readthis.doc.exe; Recycle Bin.exe; RecycleBinProtect.exe;
      ShowDesktop.exe; Sony Erikson DigitalCam.exe; Win98compatibleXP.exe;
      Windows Keys Secrets.exe; WindowsXp StartMenu Settings.exe;
      WinrRarSerialInstall.exe; %numele directorului curent% .exe

   Aceste fişiere sunt copii ale malware-ului.  


Cauta urmatorul director:
   • %toate directoarele%

   Daca reuseste, sunt create urmatoarele fisiere:
   • windows.rar
   • office_crack.rar
   • serials.rar
   • passwords.rar
   • windows_secrets.rar
   • source.rar
   • imp_data.rar
   • documents_backup.rar
   • backup.rar
   • MyDocuments.rar

   Arhiva contine o copie a malware-ului

 Reţea Pentru a-si asigura raspandirea, programul malware incearca sa contacteze alte sisteme, asa cum este descris in continuare:


Foloseste urmatoarele date de logare, pentru a controla sistemul la distanta:

– Utilizatorul:
   • Administrator

– Lista de parole:
   • 123
   • abc


 Alte informatii  Cauta o conexiune Internet, contactand urmatoarele site-uri web:
   • http://www.microsoft.com
   • http://www.hotmail.com
   • http://www.yahoo.com
   • http://www.britishcouncil.com

Die Beschreibung wurde erstellt von Razvan Olteanu am Dienstag, 16. Februar 2010
Die Beschreibung wurde geändert von Andrei Ivanes am Mittwoch, 17. Februar 2010

zurück . . . .