Worm.Win32.Mabezat.b
Platform: Win32
Type: Worm
Language: C++
Summary
Worm.Win32.Mabezat.b is a polymorphic worm (worm copies or code of the infected files vary due to encrypting and adding random rubbish data) which creates copies of itself on the local drives and shared network resources.
Technical Details
Installation
Once launched, the worm extracts the following library from its body:
C:\Documents and Settings\tazebama.dll
The file is 32768 bytes in size (md5: B6A03576E595AFACB37ADA2F1D5A0529, sha1: D598D4D0E70DEC2FFA2849EDAEB4DB94FEDCC0B8).
The worm loads the library to its address space and uses it to extract its copies with the following names:
%Documents and Settings%\tazebama.dl_%
%Documents and Settings%\hook.dl_
If launches the following file for execution:
%Documents and Settings%\tazebama.dl_
Payload
To get email addresses, the worm analyzes the contents of the files with the following extensions:
.c
.txt
.bas
.mdb
.zip
.rar
.doc
.xls
.cpp
.h
.pas
.asp
.php
.ppt
.htm
.rtf
.mdf
.psd
.aspx
.aspx.cs
.txt
.html
.pdf
.hlp
Collected data are sent in emails described in the “Propagation” section.
The worm gets the current date. If the following conditions are true:
1. If the current year is greater than 2011
2. If the current month is greater than 9
3. If the current date is greater than 15
the worm encrypts the contents of the files with the extensions mentioned above.
To avoid the recurring encryption, the worm adds the following string to the file:
TAZEBAMA
The worm creates its log file:
%UserProfile%\Application Data\tazebama\zPharaoh.dat
The worm disables displaying files with “hidden” and “system” attributes and file extensions by adding the following information to the registry key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
"HideFileExt" = "1"
"ShowSuperHidden" = "0"
The worm enables "autorun.inf" files for execution by removing the "NoDriveTypeAutoRun" parameter of the registry keys:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"
File Infection
The worm infects files with the following extensions:
.lnk
.exe
.scr
If it is a shortcut file (.lnk-extension), the worm reads the file name the shortcut points to and infects the file
in the catalog:
%UserProfile%\Local Settings\Application Data\Microsoft\CD Burning
as well as files it gets from the registry keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
The worm polymorphism is presented on the picture below. The worm code varies for each infected file, but the functionality is the same:
For infection, the worm expands the last section of the executable file and writes the code to decrypt its body as well as its decrypted body. It changes the entry point to the program so that the worm decryption code is executed first then the worm code and original file code are executed respectively.
Autorun
The worm copies itself to all shared logical drives with the following name:
<infected section name>:\zPharaoh.exe
The worm copies itself to the root directory and saves the file in the root directory as well. The worm uses the file to be launched for execution when opening the infected section with Windows Explorer:
< infected section name>:\autorun.inf
The file "autorun.inf" contents are as follows:
[AutoRun]
ShellExecute=zPharaoh.exe
shell\open\command=zPharaoh.exe
shell\explore\command=zPharaoh.exe
open=zPharaoh.exe
The hidden, system and read-only attributes are assigned to the created files.
Propagation
To spread via CD-RW drives, the worm copies itself to the following folder using embedded tools for Windows:
%UserProfile%\Local Settings\Application Data\Microsoft\CD Burning\zPharaoh.exe
The worm creates a copy of its file in the following directory and also puts in the directory the accompanying file which enables the worm to be automatically executed:
%UserProfile%\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf
The hidden, system and read-only attributes are assigned to the files.
It copies itself to the sub-catalogs with the catalog’s name and names randomly selected from the following list:
WinrRarSerialInstall.exe
NokiaN73Tools.exe
Make Windows Original.exe
Office2003 CD-Key.doc.exe
Office2007 Serial.txt.exe
KasperSky6.0 Key.doc.exe
JetAudio dump.exe
InstallMSN11Ar.exe
InstallMSN11En.exe
Lock Folder.exe
Crack_GoogleEarthPro.exe
AmericanOnLine.exe
msjavx86.exe
FloppyDiskPartion.exe
HP_LaserJetAllInOneConfig.exe
Recycle Bin.exe
Microsoft Windows Network.exe
Adjust Time.exe
MakeUrOwnFamilyTree.exe
WindowsXp StartMenu Settings.exe
LockWindowsPartition.exe
Win98compatibleXP.exe
ShowDesktop.exe
BrowseAllUsers.exe
Disk Defragmenter.exe
CD Burner.exe
FaxSend.exe
RecycleBinProtect.exe
IDE Conector P2P.exe
Windows Keys Secrets.exe
Microsoft MSN.exe
Sony Erikson DigitalCam.exe
Antenna2Net.exe
RadioTV.exe
GoogleToolbarNotifier.exe
PanasonicDVD_DigitalCam.exe
My Documents .exe
Readme.doc .exe
My documents .exe
The worm can use these names when sending emails.
The worm creates a RAR archive containing a copy of itself with one of the following names:
windows.rar
office_crack.rar
serials.rar
passwords.rar
windows_secrets.rar
source.rar
imp_data.rar
documents_backup.rar
backup.rar
MyDocuments.rar
The worm reads the following registry key to find the route to the WinRAR application:
[HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\WinRAR.exe]
If no archiver client is installed on the computer, the worm uses an encrypted RAR-archive containing the worm copy with the following name:
Readme.doc .exe
The worm does not send any emails to addresses containing the following strings in their names:
MICROSOFT
KASPER
PANDA
Before sending emails, the worm checks for a connection to the Internet visiting the following URLs:
http://www.hotmail.com
http://www.britishcouncil.com
http://www.microsoft.com
http://www.yahoo.com
The worm uses several templates to format emails:
Subject:
ABOUT PEOPLE WITH WHOM MATRIMONY IS PROHIBITED
Message body:
1: If a man commits adultery with a woman, then it is not permissible for him to marry her mother or her daughters.
2: If a woman out of sexual passion and with evil intent commits sexual intercourse with a man, then it is not permissible for the mother or daughters of that woman to merry that man. In the same way, the man who committed sexual intercourse with a woman, because prohibited for her mother and daughters.
Download the attached article to read.
Attachment:
PROHIBITED_MATRIMONY.rar
Subject:
Windows secrets
Message body:
The attached article is on
how to make a folder password
. If your are interested in this article download it, if you are not delete it.
Attachment:
FolderPW_CH(1).rar
Subject:
Canada immigration
Message body:
The debate is no longer about whether Canada should remain open to immigration. That debate became moot when Canadians realized that low birth rates and an aging population would eventually lead to a shrinking populace. Baby bonuses and other such incentives couldn't convince Canadians to have more kids, and demographic experts have forecasted that a Canada without immigration would pretty much disintegrate as a nation by 2050.
Download the attached file to know about the required forms.
The sender of this email got this article from our side and forwarded it to you.
Attachment:
IMM_Forms_E01.rar
Subject:
Viruses history
Message body:
Nowadays, the viruses have become one of the most dangerous systems to attack the computers. There are a lot of kinds of viruses. The common and popular kind is called
Trojan.Backdoor
which runs as a backdoor of the victim machine. This enables the virus to have a full remote administration of the victim machine. To read the full story about the viruses history since 1970 download the attached and decompress It by WinRAR.
The sender has red the story and forwarded it to you.
Attachment:
virushistory.rar
Subject:
Web designer vacancy
Message body:
Fortunately, we have recently received your CV/Resume from moister web site
and we found it matching the job requirements we offer.
If your are interested in this job Please send us an updated CV showing the required items with the attached file that we sent.
Thanks
Regards,
Ajy Bokra
Computer department.
Attachment:
JobDetails.rar
Subject:
MBA new vision
Message body:
MBA (Master of business administration ) one of the most required degree around the world. We offer a lot of books helping you to gain this degree. We attached one of our .doc word formatted books on
Marketing basics
to download.
Our web site tazeunv.edu.cr/mba/info.htm
Contacts:
Human resource
Ajy klaf
The sender has added your name to be informed with our services.
Attachment:
Marketing.rar
Subject:
problemo
Message body:
When I had opened your last email I received some errors have been saved in the attached file.
Please inform me with those errors as soon as possible.
Attachment:
оutlooklog.rar
Subject:
hi
Message body:
notes.rar
Unfortunately, I received unformatted email with an attached file from you. I couldn't understand what is behind the words.
I wish you next time send me a readable file!.I forwarded the attached file again to evaluate your self.
Attachment:
doc2.rar
The worm gets a list of IP addresses of the computers the worm most recently attempted to infect and copies itself to those shared resources.
The worm attempts to copy itself to the following folders of the networked computers:
<IP address>\c$\Documents and Settings
<IP address>\Start Menu\Programs\Startup
It uses the following usernames:
Administrator
Anonymous
The worm constructs passwords by combining the following characters, including spaces:
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789
Removal Recommendations
- Using Task Manager (How to End a Process with the Task Manager) terminate the process:
- Delete files:
- Delete the folder:
- Restore original values of the registry keys, if required:
- Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).
tazebama.dl_
C:\Documents and Settings\tazebama.dll
%Documents and Settings%\tazebama.dl_
%Documents and Settings%\hook.dl_
<infected section name>:\zPharaoh.exe
< infected section name>:\autorun.inf
%UserProfile%\Local Settings\Application Data\Microsoft\CD Burning\zPharaoh.exe
%UserProfile%\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf
%UserProfile%\Application Data\tazebama
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"
"HideFileExt"
"ShowSuperHidden"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"
