PROHIBITED_MATRIMONY.rar Spam = Worm.Win32.Mabezat
We have recently received an email that contains a ZIP archive named:
PROHIBITED_MATRIMONY.rar
The subject of the email is:
ABOUT PEOPLE WITH WHOM MATRIMONY IS PROHIBITED
The file extracted from PROHIBITED_MATRIMONY.rar is named Readme.doc.exe and note that it has the double extension to trick the user to think that it is a normal .DOC file instead of a malicious .EXE file.
Report Generated 8.2.2009 at 15.21.26 (GMT 1)
Filename: Readme.doc.exe
File size: 107 KB
MD5 Hash: FFF3D04DEEA479E4B20326E2F064C5D9
SHA1 Hash: 6706D9D75527CCB81F987ED695CCE8E496A57531
CRC32: 908571496
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 23 on 23 (100 %)Antivirus Sig Version Result
a-squared 06/02/2009 Worm.Win32.Mabezat.b!IK
Avira AntiVir 7.1.1.235 Worm/Mabezat.b
Avast 090205-1 Win32:Mabezat
AVG 270.10.7/1893 Worm/Generic.EDT
BitDefender 08/02/2009 Win32.Worm.Mabezat.J
ClamAV 06/02/2009 W32.Mabezat-2
Comodo 969 Worm.Win32.Mabezat.b
Dr.Web 08/02/2009 Win32.HLLW.Tazebama
Ewido 08/02/2009 Worm.Mabezat.b
F-PROT 6 20090207 W32/Worm!a69a
G DATA 19.2912 Worm.Win32.Mabezat.b A
IkarusT3 06/02/2009 Worm.Win32.Mabezat.b
Kaspersky 08/02/2009 Worm.Win32.Mabezat.b
McAfee 05/02/2009 W32/Mabezat virus
MHR (Malware Hash Registry) 08/02/2009 Virus Found – detect rate 86%
NOD32 v3 3836 Win32/Mabezat.A virus
Norman Virus Mabezat.B
Panda 21/01/2009 W32/Mabezat.C.worm
QuickHeal 07 February, 2009 W32.Mabezat.Dr
Sophos 08/02/2009 W32/Mabezat-B
TrendMicro 819(581900) PE_MABEZAT.B-O
VBA32 08/02/2009 Worm.Win32.Mabezat.b
VirusBuster 10.101.3 Worm.Mabezat.A
When the file is executed, it creates the following files:
1 2 3 4 5 6 7 8 | C:\Documents and Settings\MyDocuments\RCX1.tmp C:\Documents and Settings\user009\Application Data\tazebama C:\Documents and Settings\MyDocuments\Readme.doc .exe C:\Documents and Settings\tazebama.dll C:\Documents and Settings\hook.dl_ C:\Documents and Settings\tazebama.dl_ C:\zPharaoh.exe C:\1.taz |
Most of the above files have the +H (Hidden) attribute and the file 1.taz is renamed in C:\autorun.inf. The content of the file autorun.inf looks like an USB spreader:
This malware disables a lot of registry DWORD keys and it deletes about 66 files, of which most are important and needed system files:
We can extract some interesting strings from the file named tazebama.dl_:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | tazebama.DLL
jmping to the main_entrypoint.......
No reation.......
begin CreateProcess(tazebama.exe).......
Putting the entry point.....
Creating tazebama.exe.....
\tazebama.dl_
creating folder Documents and Settings.....
Creating hook.dl_.....
\hook.dl_
%c:\Documents and Settings
Reading .rar.....
Reading word icon.....
Reading tazebama.exe.....
Reading jmp[8].....
Reading .text.....
Start.....
FDeleting file......
hook.dl_
\Prog.tmp
my_fnCreateProcessA
tazebama.dll
:\Documents and Settings\hook.dl_ /infectdirectory
HKCR
Tazebama.TazebamaHook.1 = s 'TazebamaHook Class'
CLSID = s '{79806449-AB35-42EC-9BE9-B390209CE514}'
Tazebama.TazebamaHook = s 'TazebamaHook Class'
CLSID = s '{79806449-AB35-42EC-9BE9-B390209CE514}'
CurVer = s 'Tazebama.TazebamaHook.1'
val '{79806449-AB35-42EC-9BE9-B390209CE514}' = s 'Tazebama Hook'
TAZEBAMALibW
TazebamaHookd
ITazebamaHookWWW
tazebama 1.0 Type LibraryW
TazebamaHook Class
ITazebamaHook InterfaceWWW |
How to remove this malware ?
Type these commands in cmd.exe (DOS) prompt:
1 2 3 4 5 6 7 8 9 10 | taskkill /F /IM zPharaoh.exe taskkill /F /IM tazebama.dl_ taskkill /F /IM Readme.doc .exe rmdir C:\Documents and Settings\USER\Application Data\tazebama del C:\Documents and Settings\tazebama.dll del C:\Documents and Settings\hook.dl_ del C:\Documents and Settings\tazebama.dl_ del C:\1.taz del C:\zPharaoh.exe del C:\autorun.inf |
Then restart your computer.
Alternatively you can scan your system with NoVirusThanks Malware Remover to find and remove other possible dangerous threats from your computer.
Leave a Reply