Saturday, November 17, 2007

Virus Encyclopedia

Displaying Results for threatWin32/Mabezat.A

Names,aliases:
Win32/Mabezat.B(eTrust-Vet), Worm.Win32.Mabezat.b (F-Secure), Worm.Win32.Mabezat.b (Ikarus), Worm.Win32.Mabezat.b (Kaspersky), W32/Mabezat.a (McAfee), Win32/Mabezat.A (NOD32v2), Win32.Malware.gen!92 (Webwasher-Gateway)
Behavior:
Polymorphic parasitic file infector of executable files, use removable media and shared folders in LAN to propagate itself.
Description:
Once executed, the worm drops the following files in the folder %DriveLetter%\Documents and Settings:
tazebama.dll (32,768 bytes)tazebama.dl_ (154,751 bytes)hook.dl_ (154,751 bytes)
Modifies the following registry entry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]"SuperHidden"=dword:00000000"Hidden"=dword:00000001
Enables drive autorun by removing entries:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]"NoDriveTypeAutoRun"
It may also copy itself to the %UserProfile%\Local Settings\Application Data\Microsoft\CD Burningfolder using the following filename:
zPharaoh.exe
Creates the following folder %DriveLetter%\Documents and Settings\%UserProfile%\Application Data\tazebamafor its own use.
If the current system date matches the condition: year greater or equal 2012, month greater or equal 10 and day greater or equal 16, files with the following extensions are encrypted:
*.TXT*.BAS*.C*.MDB*.ZIP*.RAR*.DOC*.XLS*.CPP*.H*.PAS*.ASP*.PHP*.PPT*.HTM*.RTF*.MDF*.PSD*.ASPX*.ASPX.CS*.HTML*.PDF*.HLPThe encryption consists simply of adding 0x10 to each byte of the file.
Executable files infection:
The virus searches for executables on local drives and on the network. Executables are infected by the overwriting instructions at the entry point. The original code is then stored at the end of file.
Propagation
Copies itself in root folders of drives using the following filename: zPharaoh.exeThe virus also creates the following file: autorun.inf
with the following content:
[AutoRun]ShellExecute=zPharaoh.exeshell\open\command=zPharaoh.exeshell\explore\command=zPharaoh.exeopen=zPharaoh.exe
This causes the virus to be executed each time the user opens the corresponding removable drive using Windows Explorer.
Removing:Remove infected files and restore them from backup.

No comments: