HOME > VIRUS ALERTS


VIRUS ALERTS

Mabezat Worm

Original issue date: October 24, 2008

Virus:Win32/Mabezat is a polymorphic virus that infects PE files. This file infector may be dropped by other malware or may be downloaded unknowingly by a user when visiting malicious Web sites. It contains a date-based payload that encrypts files with particular file extensions.

Apart from spreading via file infection, it also attempts to spread via
network shares, removable drives and by CD-burning. It drops a copy of itself in all folders found in removable drives using the folder name
(creates once executed) as its file name. It also drops another copy of file infector in folders found in removable drives using file names of legitimate applications (WinrRarSerialInstall.exe FloppyDiskPartion.exe, LockWindowsPartition.exe, GoogleToolbarNotifier.exe)

It also creates and autorun.inf file under all the drives so that it is executed whenever an user opens a drive through Windows Explorer.

Aliases

Win32/Mabezat.worm.32768 (AhnLab)
W32/AutoRun.APZ ( Norman )
W32/Mabezat-B (Sophos)
W32.Mabezat-3 (Clam AV)
Win32/Mabezat.A (ESET)
Worm.Win32.Mabezat.b (other)
Worm.Win32.Mabezat.b (Kaspersky)
Win32.Worm.Mabezat.C ( Sunbelt Software)
W32/Mabezat.a (McAfee)

Upon Execution virus:Win32/mabezat variants:

  • drops the below malicious files:
    • [Root Drive]%Documents and Settings%\hook.dl_
    • [Root Drive]%Documents and Settings%\tazebama.dl_
    • c:\autorun.inf
    • c:\zPharaoh.exe(detected as Mabezat.B)

  • creates the following folder and file:
    • [RootDrive]%\Documents and Settings\
      {USER NAME}\Application Data\tazebama
    • [RootDrive]%\Documents and Settings\{USER NAME}\Application
    • Data\tazebama\zPharaoh.dat

  • drops copies itself to removable devices and network shares using the following filenames:
    • My documents .exe
    • Readme.doc .exe
    • tazebama.exe

  • Modifes the following files
    • %ProgramFiles%\NetMeeting\conf.exe
    • %ProgramFiles%\Outlook Express\msimn.exe
    • %ProgramFiles%\Outlook Express\wab.exe
    • %ProgramFiles%\Outlook Express\wabmig.exe
    • %ProgramFiles%\Windows Media Player\wmplayer.exe
    • %ProgramFiles%\Windows NT\dialer.exe
    • %ProgramFiles%\Windows NT\Pinball\PINBALL.EXE
    • %Windir%\pchealth\helpctr\binaries\HelpCtr.exe
    • %Windir%\pchealth\helpctr\binaries\msconfig.exe

  • Sets the following registry entries to hide extension and files
    • HKCU\Software\Microsoft\Windows\CurrentVersion\
      Explorer\Advanced\ ShowSuperHidden ="0"
    • HKCU\Software\Microsoft\Windows\ CurrentVersion\
      Explorer\Advanced\Hidden = "2"
    • HKCU \Software\Microsoft\Windows\ CurrentVersion\
      Explorer\Advanced\HideFileExt = "1"

  • Drops a copy of itself in all physical and removable drives as ZPHARAOH.EXE . It also drops an AUTORUN. INF file to automatically execute its dropped copies when the said drives are accessed. The AUTORUN. INF file contains the following strings:

  • Drops autorun.inf and zPharaoh.exe under the folder, enable to spread via CDs
    • %System Root%\Documents and Settings\winxp\Local Settings\Application Data\Microsoft\CD Burning

  • Searches for target files in the following folders:
    • %Program Files%\Microsoft Office\OFFICE
    • %Program Files%\Microsoft Office\OFFICE10
    • %Program Files%\Microsoft Office\OFFICE11
    • %Program Files%\Real
    • %Program Files%\Windows Media Player
    • %Program Files%\winzip
    • %Program Files%\winrar

  • Searches for files with a .DOC extension. If found, it creates the file {.DOC file name}.EXE under the same directory where the .DOC file has been found (Eg. DOCUMENTSample.DOC , malware name will be DOCUMENTSample.DOC.EXE). The created .EXE file is capable of infecting the application WINWORD.EXE.

  • Encrypts certain files If the following conditions hold (files with extensions. hlp,.pdf,.html,.txt,.aspx,.psd,.rtf,.htm,.ppt, .php,.asp,.cpp,.xls,.pdf,mdb are infected):
    • If the year is greater than or equal to 2012;
    • If the month is equal to or greater than 10;
    • and the day is equal to or greater than 16.

  • Requests HTTP connection to the following URL's
    • http://www.britishcouncil.com
    • http://www.yahoo.com
    • http://www.hotmail.com
    • http://www.microsoft.com

  • The worm may then send emails with the following characteristics(avoid sending mails to e-mail addresses contain MICROSOFT,KASPER,PANDA keywords.)with a copy of itself attached.
    • Subject: Windows secrets
      Attachment: FolderPW_CH(1).rar
      Body:
      The attached article is on "how to make a folder password". If your are interested in this article download it, if you are not delete it.
    • Subject: Canada immigration
      Attachment: IMM_Forms_E01.rar
      Body:
      The debate is no longer about whether Canada should remain open to
      immigration. That debate becam [REMOVED] the required forms. The sender of this email got this article from our side and forwarded it to you.
    • Subject: Viruses history
      Attachments: virushistory.rar
      Body:
      Nowadays, the viruses have become one of the most dangerous systems to attack the computers. There a [REMOVED] load the attached and decompress It by WinRAR. The sender has red the story and forwarded it to you.
    • Subject: Web designer vacancy
      Attachment: JobDetails.rar
      Body:
      Fortunately, we have recently received your CV/Resume from moister web site and we found it matching [REMOVED]
      Thanks & Regards,
      Ajy Bokra
      Computer department.
      AjyBokra@webconsulting.com
    • Subject: MBA new vision
      Attachment: Marketing.rar
      Body:
      MBA (Master of business administration ) one of the most required degree around the world. We offer [REMOVED] Ajy klaf
      AjyKolav@tazeunv.com
      The sender has added your name to be informed with our services.
    • Subject: problem
      Attachment: outlooklog.rar
      Body:
      When I had opened your last email I received some errors have been saved in the attached file. Please inform me with those errors as soon as possible.
    • Subject: hi
      Attachment: notes.rar
      Body:
      Unfortunately, I received unformatted email with an attached file from you. I couldn't understand what is behind the words. I wish you next time send me a readable file!. I forwarded the attached file again to evaluate your self.

In view of rapid propagation of the Mabezat virus , users are advised to implement the following countermeasures: :

  • Search for the malicious files and the registry entries created Mabezat virus and delete the same
  • Install and maintain an updated anti-virus software at gateway and desktop level
  • Keep up-to-date on patches and fixes on the operating system and above mentioned vulnerabilities
  • Exercise caution while opening emails attachments
  • Install and maintain Firewall at Desktop level

References

http://www.microsoft.com/security/portal/Entry.aspx?name=
Virus%3aWin32%2fMabezat.B
http://vil.nai.com/vil/content/v_143553.htm
http://www.symantec.com/norton/security_response/
writeup.jsp?docid=2007-120113-2635-99&tabid=2
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=PE_MABEZAT.B-2&VSect=T

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003