PROHIBITED_MATRIMONY.rar Spam = Worm.Win32.Mabezat

We have recently received an email that contains a ZIP archive named:

PROHIBITED_MATRIMONY.rar

The subject of the email is:

ABOUT PEOPLE WITH WHOM MATRIMONY IS PROHIBITED

The file extracted from PROHIBITED_MATRIMONY.rar is named Readme.doc.exe and note that it has the double extension to trick the user to think that it is a normal .DOC file instead of a malicious .EXE file.

Screenshot of the file

Report Generated 8.2.2009 at 15.21.26 (GMT 1)
Filename: Readme.doc.exe
File size: 107 KB
MD5 Hash: FFF3D04DEEA479E4B20326E2F064C5D9
SHA1 Hash: 6706D9D75527CCB81F987ED695CCE8E496A57531
CRC32: 908571496
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 23 on 23 (100 %)

Antivirus Sig Version Result
a-squared 06/02/2009 Worm.Win32.Mabezat.b!IK
Avira AntiVir 7.1.1.235 Worm/Mabezat.b
Avast 090205-1 Win32:Mabezat
AVG 270.10.7/1893 Worm/Generic.EDT
BitDefender 08/02/2009 Win32.Worm.Mabezat.J
ClamAV 06/02/2009 W32.Mabezat-2
Comodo 969 Worm.Win32.Mabezat.b
Dr.Web 08/02/2009 Win32.HLLW.Tazebama
Ewido 08/02/2009 Worm.Mabezat.b
F-PROT 6 20090207 W32/Worm!a69a
G DATA 19.2912 Worm.Win32.Mabezat.b A
IkarusT3 06/02/2009 Worm.Win32.Mabezat.b
Kaspersky 08/02/2009 Worm.Win32.Mabezat.b
McAfee 05/02/2009 W32/Mabezat virus
MHR (Malware Hash Registry) 08/02/2009 Virus Found – detect rate 86%
NOD32 v3 3836 Win32/Mabezat.A virus
Norman Virus Mabezat.B
Panda 21/01/2009 W32/Mabezat.C.worm
QuickHeal 07 February, 2009 W32.Mabezat.Dr
Sophos 08/02/2009 W32/Mabezat-B
TrendMicro 819(581900) PE_MABEZAT.B-O
VBA32 08/02/2009 Worm.Win32.Mabezat.b
VirusBuster 10.101.3 Worm.Mabezat.A

When the file is executed, it creates the following files:

1
2
3
4
5
6
7
8
C:\Documents and Settings\MyDocuments\RCX1.tmp
C:\Documents and Settings\user009\Application Data\tazebama
C:\Documents and Settings\MyDocuments\Readme.doc .exe
C:\Documents and Settings\tazebama.dll
C:\Documents and Settings\hook.dl_
C:\Documents and Settings\tazebama.dl_
C:\zPharaoh.exe
C:\1.taz

Most of the above files have the +H (Hidden) attribute and the file 1.taz is renamed in C:\autorun.inf. The content of the file autorun.inf looks like an USB spreader:

Screenshot of autorun.inf

This malware disables a lot of registry DWORD keys and it deletes about 66 files, of which most are important and needed system files:

Screenshot of Windows Alert Window

We can extract some interesting strings from the file named tazebama.dl_:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
tazebama.DLL
jmping to the main_entrypoint.......
No reation.......
begin CreateProcess(tazebama.exe).......
Putting the entry point.....
Creating tazebama.exe.....
\tazebama.dl_
creating folder  Documents and Settings.....
Creating hook.dl_.....
\hook.dl_
%c:\Documents and Settings
Reading .rar.....
Reading word icon.....
Reading tazebama.exe.....
Reading jmp[8].....
Reading .text.....
Start.....
FDeleting file......
hook.dl_
\Prog.tmp
my_fnCreateProcessA
tazebama.dll
:\Documents and Settings\hook.dl_ /infectdirectory
HKCR
Tazebama.TazebamaHook.1 = s 'TazebamaHook Class'
CLSID = s '{79806449-AB35-42EC-9BE9-B390209CE514}'
Tazebama.TazebamaHook = s 'TazebamaHook Class'
CLSID = s '{79806449-AB35-42EC-9BE9-B390209CE514}'
CurVer = s 'Tazebama.TazebamaHook.1'
val '{79806449-AB35-42EC-9BE9-B390209CE514}' = s 'Tazebama Hook'
TAZEBAMALibW
TazebamaHookd
ITazebamaHookWWW
tazebama 1.0 Type LibraryW
TazebamaHook Class
ITazebamaHook InterfaceWWW

How to remove this malware ?

Type these commands in cmd.exe (DOS) prompt:

1
2
3
4
5
6
7
8
9
10
taskkill /F /IM zPharaoh.exe
taskkill /F /IM tazebama.dl_
taskkill /F /IM Readme.doc .exe
rmdir C:\Documents and Settings\USER\Application Data\tazebama
del C:\Documents and Settings\tazebama.dll
del C:\Documents and Settings\hook.dl_
del C:\Documents and Settings\tazebama.dl_
del C:\1.taz
del C:\zPharaoh.exe
del C:\autorun.inf

Then restart your computer.

Alternatively you can scan your system with NoVirusThanks Malware Remover to find and remove other possible dangerous threats from your computer.

Random Posts

Previous Posts