Virus Encyclopedia
Win32/Mabezat.A
Names,aliases:
Win32/Mabezat.B(eTrust-Vet), Worm.Win32.Mabezat.b (F-Secure), Worm.Win32.Mabezat.b (Ikarus), Worm.Win32.Mabezat.b (Kaspersky), W32/Mabezat.a (McAfee), Win32/Mabezat.A (NOD32v2), Win32.Malware.gen!92 (Webwasher-Gateway)
Behavior:
Polymorphic parasitic file infector of executable files, use removable media and shared folders in LAN to propagate itself.
Description:
Once executed, the worm drops the following files in the folder %DriveLetter%\Documents and Settings
:
tazebama.dll (32,768 bytes)
tazebama.dl_ (154,751 bytes)
hook.dl_ (154,751 bytes)
Modifies the following registry entry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"SuperHidden"=dword:00000000
"Hidden"=dword:00000001
Enables drive autorun by removing entries:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"
It may also copy itself to the %UserProfile%\Local Settings\Application Data\Microsoft\CD Burning
folder using the following filename:
zPharaoh.exe
Creates the following folder %DriveLetter%\Documents and Settings\%UserProfile%\Application Data\tazebama
for its own use.
If the current system date matches the condition: year greater or equal 2012, month greater or equal 10 and day greater or equal 16, files with the following extensions are encrypted:
*.TXT
*.BAS
*.C
*.MDB
*.ZIP
*.RAR
*.DOC
*.XLS
*.CPP
*.H
*.PAS
*.ASP
*.PHP
*.PPT
*.HTM
*.RTF
*.MDF
*.PSD
*.ASPX
*.ASPX.CS
*.HTML
*.PDF
*.HLP
The encryption consists simply of adding 0x10 to each byte of the file.
Executable files infection
The virus searches for executables on local drives and on the network. Executables are infected by the overwriting instructions at the entry point. The original code is then stored at the end of file.
Propagation
Copies itself in root folders of drives using the following filename: zPharaoh.exe
The virus also creates the autorun.inf file in the same location.
This causes the virus to be executed each time the user opens the corresponding removable drive using Windows Explorer.
Removing:
Remove infected files and restore them from backup.
