We have recently received an email that contains a ZIP archive named:

PROHIBITED_MATRIMONY.rar

The subject of the email is:

ABOUT PEOPLE WITH WHOM MATRIMONY IS PROHIBITED

The file extracted from PROHIBITED_MATRIMONY.rar is named Readme.doc.exe and note that it has the double extension to trick the user to think that it is a normal .DOC file instead of a malicious .EXE file.

Report Generated 8.2.2009 at 15.21.26 (GMT 1)
Filename: Readme.doc.exe
File size: 107 KB
MD5 Hash: FFF3D04DEEA479E4B20326E2F064C5D9
SHA1 Hash: 6706D9D75527CCB81F987ED695CCE8E496A57531
CRC32: 908571496
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 23 on 23 (100 %)

Antivirus Sig Version Result
a-squared 06/02/2009 Worm.Win32.Mabezat.b!IK
Avira AntiVir 7.1.1.235 Worm/Mabezat.b
Avast 090205-1 Win32:Mabezat
AVG 270.10.7/1893 Worm/Generic.EDT
BitDefender 08/02/2009 Win32.Worm.Mabezat.J
ClamAV 06/02/2009 W32.Mabezat-2
Comodo 969 Worm.Win32.Mabezat.b
Dr.Web 08/02/2009 Win32.HLLW.Tazebama
Ewido 08/02/2009 Worm.Mabezat.b
F-PROT 6 20090207 W32/Worm!a69a
G DATA 19.2912 Worm.Win32.Mabezat.b A
IkarusT3 06/02/2009 Worm.Win32.Mabezat.b
Kaspersky 08/02/2009 Worm.Win32.Mabezat.b
McAfee 05/02/2009 W32/Mabezat virus
MHR (Malware Hash Registry) 08/02/2009 Virus Found – detect rate 86%
NOD32 v3 3836 Win32/Mabezat.A virus
Norman Virus Mabezat.B
Panda 21/01/2009 W32/Mabezat.C.worm
QuickHeal 07 February, 2009 W32.Mabezat.Dr
Sophos 08/02/2009 W32/Mabezat-B
TrendMicro 819(581900) PE_MABEZAT.B-O
VBA32 08/02/2009 Worm.Win32.Mabezat.b
VirusBuster 10.101.3 Worm.Mabezat.A

When the file is executed, it creates the following files:

1
2
3
4
5
6
7
8

C:\Documents and Settings\MyDocuments\RCX1.tmp
C:\Documents and Settings\user009\Application Data\tazebama
C:\Documents and Settings\MyDocuments\Readme.doc .exe
C:\Documents and Settings\tazebama.dll
C:\Documents and Settings\hook.dl_
C:\Documents and Settings\tazebama.dl_
C:\zPharaoh.exe
C:\1.taz

Most of the above files have the +H (Hidden) attribute and the file 1.taz is renamed in C:\autorun.inf. The content of the file autorun.inf looks like an USB spreader:

This malware disables a lot of registry DWORD keys and it deletes about 66 files, of which most are important and needed system files:

We can extract some interesting strings from the file named tazebama.dl_:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

tazebama.DLL
jmping to the main_entrypoint.......
No reation.......
begin CreateProcess(tazebama.exe).......
Putting the entry point.....
Creating tazebama.exe.....
\tazebama.dl_
creating folder  Documents and Settings.....
Creating hook.dl_.....
\hook.dl_
%c:\Documents and Settings
Reading .rar.....
Reading word icon.....
Reading tazebama.exe.....
Reading jmp[8].....
Reading .text.....
Start.....
FDeleting file......
hook.dl_
\Prog.tmp
my_fnCreateProcessA
tazebama.dll
:\Documents and Settings\hook.dl_ /infectdirectory
HKCR
Tazebama.TazebamaHook.1 = s 'TazebamaHook Class'
CLSID = s '{79806449-AB35-42EC-9BE9-B390209CE514}'
Tazebama.TazebamaHook = s 'TazebamaHook Class'
CLSID = s '{79806449-AB35-42EC-9BE9-B390209CE514}'
CurVer = s 'Tazebama.TazebamaHook.1'
val '{79806449-AB35-42EC-9BE9-B390209CE514}' = s 'Tazebama Hook'
TAZEBAMALibW
TazebamaHookd
ITazebamaHookWWW
tazebama 1.0 Type LibraryW
TazebamaHook Class
ITazebamaHook InterfaceWWW

How to remove this malware ?

Type these commands in cmd.exe (DOS) prompt:

1
2
3
4
5
6
7
8
9
10

taskkill /F /IM zPharaoh.exe
taskkill /F /IM tazebama.dl_
taskkill /F /IM Readme.doc .exe
rmdir C:\Documents and Settings\USER\Application Data\tazebama
del C:\Documents and Settings\tazebama.dll
del C:\Documents and Settings\hook.dl_
del C:\Documents and Settings\tazebama.dl_
del C:\1.taz
del C:\zPharaoh.exe
del C:\autorun.inf

Then restart your computer.

Alternatively you can scan your system with NoVirusThanks Malware Remover to find and remove other possible dangerous threats from your computer.

Posted by admin on Sunday, February 8th, 2009 at 11:19 pm and filed under Malware Analysis, Spam with tags Mabezat, malware, Spam, Tazebama, zPharaoh.exe. You can leave a response, or trackback from your own site.