Mabezat worm and winmail.dat are back again

We have noticed in the past week a new wave of spam emails containing a file attached named, in all the cases, as winmail.dat. The attached file is, in real, a rar archive and it has extracted a file named Readme.doc .exe:


Some of the subjects of the emails are:

MBA new vision
Web designer vacancy
New work for you
You are assumed!
Welcome to your new work
We are hiring you

Headers of the emails: ( [])
[] (helo=akram8eb165562) by

All the messages of these spam emails try to do social engineering against the readers of the emails, by writing that the file contains no viruses and that it is needed winrar to decompress it:

The original file name is JobDetails.rar and compressed by WinRAR no virus found. Use WinRAR to decompress the file.

The extracted file is detected by all Antivirus Software:

Report date: 2010-02-25 00:41:43 (GMT 1)
File name: Readme.doc_.exe
File size: 110311 bytes
MD5 Hash: fff3d04deea479e4b20326e2f064c5d9
SHA1 Hash: 6706d9d75527ccb81f987ed695cce8e496a57531
Detection rate: 19 on 19 (100% )

a-squared – Worm.Win32.Mabezat!IK
Avira AntiVir – Worm/Mabezat.b
Avast – Win32:Mabezat-AM [Trj]
AVG – Worm/Generic.EDT
BitDefender – Worm.Generic.65976
ClamAV – W32.Mabezat-2
Comodo – Worm.Win32.Mabezat.b
Dr.Web – Win32.HLLW.Tazebama
Ewido – Worm.Mabezat.b
F-PROT6 – W32/Worm!a69a
Ikarus T3 – Worm.Win32.Mabezat
Kaspersky – Worm.Win32.Mabezat.b
McAfee – W32/Mabezat virus
NOD32 – Win32/Mabezat.A virus
Panda – W32/Mabezat.C.worm
Solo – Worm/Win32.Mabezat.B
TrendMicro – PE_MABEZAT.B-O
VBA32 – Worm.Win32.Mabezat.b
VirusBuster – Worm.Mabezat.A

In this article you can find an analysis of the malware activity:
PROHIBITED_MATRIMONY.rar Spam = Worm.Win32.Mabezat

Random Posts

Previous Posts