Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:WORM/Mabezat.b
Date discovered:09/11/2007
Type:Worm
In the wild:Yes
Reported Infections:High
Distribution Potential:Medium to high
Damage Potential:High
Static file:No
VDF version:7.00.00.185
IVDF version:7.00.00.193 - Friday, November 9, 2007

 General Methods of propagation:
    Autorun feature
   • Email
    Infects files
   • Local network


Aliases:
   •  Symantec: W32.Mabezat.B
   •  Mcafee: W32/Mabezat
   •  Kaspersky: Worm.Win32.Mabezat.b
   •  Sophos: W32/Mabezat-B
   •  VirusBuster: Worm.Mabezat.A
   •  Eset: Win32/Mabezat.A

This is a component of: W32/Mabezat


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Drops malicious files
Infects files
   • Registry modification

 Files It copies itself to the following location:
   • %drive%\zPharaoh.exe


Encryption:
It creates new files which are encrypted copies of the found files.

The following file types is payed attention to:
   • .hlp; .pdf; .html; .txt; .aspx.cs; .aspx; .psd; .mdf; .rtf; .htm;
      .ppt; .php; .asp; .pas; .h; .cpp; .xls; .doc; .rar; .zip; .mdb

The original file is erased afterwards.



It deletes the following file:
   • %home%\Local Settings\Application Data\Microsoft\CD Burning\*.*



The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • [AutoRun]
     ShellExecute=zPharaoh.exe
     shell\open\command=zPharaoh.exe
     shell\explore\command=zPharaoh.exe
     open=zPharaoh.exe
     

%home%\Application Data\tazebama\zPharaoh.dat This is a non malicious text file with the following content:
   • tazebama trojan log file

 Registry  The following registry key including all values and subkeys is removed:
   • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun



The following registry key is changed:

Various Explorer settings:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
   New value:
   • "Hidden"=dword:00000002
   • "HideFileExt"=dword:00000001
   • "ShowSuperHidden"=dword:00000000

 File infection Infector type:

Embedded - The virus inserts its code throughout the file (in one or more places).


Method:

This direct-action infector actively searches for files.


The following files are infected:

By file type:
   • *.exe

Files in any of the following directories:
   • %PROGRAM FILES%\
   • %WINDIR%\

 Email It uses Microsoft Outlook in order to send emails. The characteristics are described below:


To:
– Email addresses found in specific files on the system.


Email design:



Subject: ABOUT PEOPLE WITH WHOM MATRIMONY IS PROHIBITED
Body:
   • 1 : If a man commits adultery with a woman, then it is not permissible for him to marry her mother or her daughters.
     
     2 : If a woman out of sexual passion and with evil intent commits sexual intercourse with a man, then it is not permissible for the mother or daughters of that woman to merry that man. In the same way, the man who committed sexual intercourse with a woman, because prohibited for her mother and daughters.
     
     Download the attached article to read.
Attachment:
   • PROHIBITED_MATRIMONY.rar



Subject: Windows secrets
Body:
   • The attached article is on "how to make a folder password". If your are interested in this article download it, if you are not delete it.
Attachment:
   • FolderPW_CH(1).rar



Subject: Canada immigration
Body:
   • The debate is no longer about whether Canada should remain open to immigration. That debate became moot when Canadians realized that low birth rates and an aging population would eventually lead to a shrinking populace. Baby bonuses and other such incentives couldn't convince Canadians to have more kids, and demographic experts have forecasted that a Canada without immigration would pretty much disintegrate as a nation by 2050.
     Download the attached file to know about the required forms.
     The sender of this email got this article from our side and forwarded it to you.
Attachment:
   • IMM_Forms_E01.rar



Subject: Viruses history
Body:
   • Nowadays, the viruses have become one of the most dangerous systems to attack the computers. There are a lot of kinds of viruses. The common and popular kind is called "Trojan.Backdoor" which runs as a backdoor of the victim machine. This enables the virus to have a full remote administration of the victim machine. To read the full story about the viruses history since 1970 download the attached and decompress It by WinRAR.
     
     The sender has red the story and forwarded it to you.
Attachment:
   • virushistory.rar



Subject: Web designer vacancy
Body:
   • Fortunately, we have recently received your CV/Resume from moister web site
     and we found it matching the job requirements we offer.
     If your are interested in this job Please send us an updated CV showing the required items with the attached file that we sent.
     
     Thanks & Regards,
     Ajy Bokra
     Computer department.
     AjyBokra@webconsulting.com
Attachment:
   • JobDetails.rar



Subject: MBA new vision
Body:
   • MBA (Master of business administration ) one of the most required degree around the world. We offer a lot of books helping you to gain this degree. We attached one of our .doc word formatted books on "Marketing basics" to download.
     
     
     Our web site http://www.tazeunv.edu.cr/mba/info.htm
     
     Contacts:
     Human resource
     Ajy klaf
     AjyKolav@tazeunv.com
     
     The sender has added your name to be informed with our services.
Attachment:
   • Marketing.rar



Subject: problem
Body:
   • When I had opened your last email I received some errors have been saved in the attached file.
      Please inform me with those errors as soon as possible.
Attachment:
   • outlooklog.rar



Subject: I forwarded the attached file again to evaluate your self.
Body:
   • Unfortunately, I received unformatted email with an attached file from you. I couldn't understand what is behind the words.
     I wish you next time send me a readable file!.
Attachment:
   • notes.rar


Attachment:

The attachment is an archive containing a copy of the malware itself.

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:


It searches for the following directory:
   • %all directories%

   If successful, the following files are created:
   • Adjust Time.exe; AmericanOnLine.exe; Antenna2Net.exe;
      BrowseAllUsers.exe; CD Burner.exe; Crack_GoogleEarthPro.exe; Disk
      Defragmenter.exe; FaxSend.exe; FloppyDiskPartion.exe;
      GoogleToolbarNotifier.exe; HP_LaserJetAllInOneConfig.exe; IDE Conector
      P2P.exe; InstallMSN11Ar.exe; InstallMSN11En.exe; JetAudio dump.exe;
      KasperSky6.0 Key.doc.exe; Lock Folder.exe; LockWindowsPartition.exe;
      Make Windows Original.exe; MakeUrOwnFamilyTree.exe; Microsoft MSN.exe;
      Microsoft Windows Network.exe; msjavx86.exe; My documents .exe;
      NokiaN73Tools.exe; Office2003 CD-Key.doc.exe; Office2007
      Serial.txt.exe; PanasonicDVD_DigitalCam.exe; RadioTV.exe; Readme.doc
      .exe; readthis.doc.exe; Recycle Bin.exe; RecycleBinProtect.exe;
      ShowDesktop.exe; Sony Erikson DigitalCam.exe; Win98compatibleXP.exe;
      Windows Keys Secrets.exe; WindowsXp StartMenu Settings.exe;
      WinrRarSerialInstall.exe; %current directory name% .exe

   These files are copies of the malware itself.


It searches for the following directory:
   • %all directories%

   If successful, the following files are created:
   • windows.rar
   • office_crack.rar
   • serials.rar
   • passwords.rar
   • windows_secrets.rar
   • source.rar
   • imp_data.rar
   • documents_backup.rar
   • backup.rar
   • MyDocuments.rar

   The archive contains a copy of the malware inside.

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


It uses the following login information in order to gain access to the remote machine:

The following username:
   • Administrator

The following list of passwords:
   • 123
   • abc


 Miscellaneous  Checks for an internet connection by contacting the following web sites:
   • http://www.microsoft.com
   • http://www.hotmail.com
   • http://www.yahoo.com
   • http://www.britishcouncil.com

Description inserted by Andrei Ivanes on Wednesday, February 17, 2010
Description updated by Andrei Ivanes on Wednesday, February 17, 2010

Back . . . .