Mabezat

First Report : 2007-12-10 11:46
Last Update : 2007-12-10 11:56

Aliases:
W32/Mabezat
W32/Mabezat.b
Win32/Mabezat
Win32/Mabezat.A
Win32/Mabezat.B
Worm.Win32.Mabezat.b

Overview -

This description is for a worm that is capable of spreading through removable devices and network shares.

The characteristics of this worm in regards to file names, folders created etc. will differ from one version to another. Hence, this is a general description.
Aliases

* W32/Mabezat.b [Sophos]

* Win32/Mabezat [AVG Grisoft]

* Win32/Mabezat.A [Nod32]

* Win32/Mabezat.B [Microsft]

* Worm.Win32.Mabezat.b [Kaspersky]

Characteristics


When executed, this worm drops the following files:

* C:\Documents and Settings\tazebama.dl_
* C:\Documents and Settings\hook.dl_
* C:\Start Menu\Programs\Startup\zPharoh.exe
* C:\Documents and Settings\[User Name]\Application\Data\tazebama\zPharaoh.dat
* C:\Documents and Settings\My Documents\readme.doc .exe
* [Drive Letter]:\zPharaoh.exe
* [Drive Letter]:\zPharaoh.inf

Note:

* The above files may have their attributes changed to hidden and system, inorder to make these files harder to find.

The worm then modifies the following registry entry to reset the drive autorun settings:

* Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDriveTypeAutoRun"

The worm then copies itself to all removable devices and open network shares along with an autorun.inf file.

It also searches for executable files on the machine and infects them. While doing this, it ensures that the icons of the original executables are maintained.


Symptoms


* Presence of the files and registry entries mentioned earlier
* Presence of the following autorun.inf file on the root of removable, fixed and network drives:

Method of Infection

This worm spreads by copying itself to network shares and to removable devices, along with an “Autorun.inf”.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations