PROHIBITED_MATRIMONY.rar Spam = Worm.Win32.Mabezat
We have recently received an email that contains a ZIP archive named:
PROHIBITED_MATRIMONY.rar
The subject of the email is:
ABOUT PEOPLE WITH WHOM MATRIMONY IS PROHIBITED
The file extracted from PROHIBITED_MATRIMONY.rar is named Readme.doc.exe and note that it has the double extension to trick the user to think that it is a normal .DOC file instead of a malicious .EXE file.
Report Generated 8.2.2009 at 15.21.26 (GMT 1)
Filename: Readme.doc.exe
File size: 107 KB
MD5 Hash: FFF3D04DEEA479E4B20326E2F064C5D9
SHA1 Hash: 6706D9D75527CCB81F987ED695CCE8E496A57531
CRC32: 908571496
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 23 on 23 (100 %)Antivirus Sig Version Result
a-squared 06/02/2009 Worm.Win32.Mabezat.b!IK
Avira AntiVir 7.1.1.235 Worm/Mabezat.b
Avast 090205-1 Win32:Mabezat
AVG 270.10.7/1893 Worm/Generic.EDT
BitDefender 08/02/2009 Win32.Worm.Mabezat.J
ClamAV 06/02/2009 W32.Mabezat-2
Comodo 969 Worm.Win32.Mabezat.b
Dr.Web 08/02/2009 Win32.HLLW.Tazebama
Ewido 08/02/2009 Worm.Mabezat.b
F-PROT 6 20090207 W32/Worm!a69a
G DATA 19.2912 Worm.Win32.Mabezat.b A
IkarusT3 06/02/2009 Worm.Win32.Mabezat.b
Kaspersky 08/02/2009 Worm.Win32.Mabezat.b
McAfee 05/02/2009 W32/Mabezat virus
MHR (Malware Hash Registry) 08/02/2009 Virus Found – detect rate 86%
NOD32 v3 3836 Win32/Mabezat.A virus
Norman Virus Mabezat.B
Panda 21/01/2009 W32/Mabezat.C.worm
QuickHeal 07 February, 2009 W32.Mabezat.Dr
Sophos 08/02/2009 W32/Mabezat-B
TrendMicro 819(581900) PE_MABEZAT.B-O
VBA32 08/02/2009 Worm.Win32.Mabezat.b
VirusBuster 10.101.3 Worm.Mabezat.A
When the file is executed, it creates the following files:
1 2 3 4 5 6 7 8 | C:\Documents and Settings\MyDocuments\RCX1.tmp C:\Documents and Settings\user009\Application Data\tazebama C:\Documents and Settings\MyDocuments\Readme.doc .exe C:\Documents and Settings\tazebama.dll C:\Documents and Settings\hook.dl_ C:\Documents and Settings\tazebama.dl_ C:\zPharaoh.exe C:\1.taz |
Most of the above files have the +H (Hidden) attribute and the file 1.taz is renamed in C:\autorun.inf. The content of the file autorun.inf looks like an USB spreader:
This malware disables a lot of registry DWORD keys and it deletes about 66 files, of which most are important and needed system files:
We can extract some interesting strings from the file named tazebama.dl_:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | tazebama.DLL jmping to the main_entrypoint....... No reation....... begin CreateProcess(tazebama.exe)....... Putting the entry point..... Creating tazebama.exe..... \tazebama.dl_ creating folder Documents and Settings..... Creating hook.dl_..... \hook.dl_ %c:\Documents and Settings Reading .rar..... Reading word icon..... Reading tazebama.exe..... Reading jmp[8]..... Reading .text..... Start..... FDeleting file...... hook.dl_ \Prog.tmp my_fnCreateProcessA tazebama.dll :\Documents and Settings\hook.dl_ /infectdirectory HKCR Tazebama.TazebamaHook.1 = s 'TazebamaHook Class' CLSID = s '{79806449-AB35-42EC-9BE9-B390209CE514}' Tazebama.TazebamaHook = s 'TazebamaHook Class' CLSID = s '{79806449-AB35-42EC-9BE9-B390209CE514}' CurVer = s 'Tazebama.TazebamaHook.1' val '{79806449-AB35-42EC-9BE9-B390209CE514}' = s 'Tazebama Hook' TAZEBAMALibW TazebamaHookd ITazebamaHookWWW tazebama 1.0 Type LibraryW TazebamaHook Class ITazebamaHook InterfaceWWW |
How to remove this malware ?
Type these commands in cmd.exe (DOS) prompt:
1 2 3 4 5 6 7 8 9 10 | taskkill /F /IM zPharaoh.exe taskkill /F /IM tazebama.dl_ taskkill /F /IM Readme.doc .exe rmdir C:\Documents and Settings\USER\Application Data\tazebama del C:\Documents and Settings\tazebama.dll del C:\Documents and Settings\hook.dl_ del C:\Documents and Settings\tazebama.dl_ del C:\1.taz del C:\zPharaoh.exe del C:\autorun.inf |
Then restart your computer.
Alternatively you can scan your system with NoVirusThanks Malware Remover to find and remove other possible dangerous threats from your computer.
Leave a Reply