Worm.Win32.Mabezat.b

by alexander.adamov on May 16th, 2012 in Malware Descriptions.

Platform: Win32
Type: Worm
Language: C++

Summary

Worm.Win32.Mabezat.b is a polymorphic worm (worm copies or code of the infected files vary due to encrypting and adding random rubbish data) which creates copies of itself on the local drives and shared network resources.

Technical Details

Installation

Once launched, the worm extracts the following library from its body:

C:\Documents and Settings\tazebama.dll

The file is 32768 bytes in size (md5: B6A03576E595AFACB37ADA2F1D5A0529, sha1: D598D4D0E70DEC2FFA2849EDAEB4DB94FEDCC0B8).

The worm loads the library to its address space and uses it to extract its copies with the following names:

%Documents and Settings%\tazebama.dl_%
%Documents and Settings%\hook.dl_

If launches the following file for execution:

%Documents and Settings%\tazebama.dl_

Payload

To get email addresses, the worm analyzes the contents of the files with the following extensions:

.c
.txt
.bas
.mdb
.zip
.rar
.doc
.xls
.cpp
.h
.pas
.asp
.php
.ppt
.htm
.rtf
.mdf
.psd
.aspx
.aspx.cs
.txt
.html
.pdf
.hlp

Collected data are sent in emails described in the “Propagation” section.

The worm gets the current date. If the following conditions are true:

1. If the current year is greater than 2011
2. If the current month is greater than 9
3. If the current date is greater than 15

the worm encrypts the contents of the files with the extensions mentioned above.

To avoid the recurring encryption, the worm adds the following string to the file:

TAZEBAMA

The worm creates its log file:

%UserProfile%\Application Data\tazebama\zPharaoh.dat

The worm disables displaying files with “hidden” and “system” attributes and file extensions by adding the following information to the registry key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
"HideFileExt" = "1"
"ShowSuperHidden" = "0"

The worm enables "autorun.inf" files for execution by removing the "NoDriveTypeAutoRun" parameter  of the registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"

File Infection

The worm infects files with the following extensions:

.lnk
.exe
.scr

If it is a shortcut file (.lnk-extension), the worm reads the file name the shortcut points to and infects the file

in the catalog:

%UserProfile%\Local Settings\Application Data\Microsoft\CD Burning

as well as files it gets from the registry keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths]

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

The worm polymorphism is presented on the picture below. The worm code varies for each infected file, but the functionality is the same:

For infection, the worm expands the last section of the executable file and writes the code to decrypt its body as well as its decrypted body. It changes the entry point to the program so that the worm decryption code is executed first then the worm code and original file code are executed respectively.

Autorun

The worm copies itself to all shared logical drives with the following name:

<infected section name>:\zPharaoh.exe

The worm copies itself to the root directory and saves the file in the root directory as well. The worm uses the file to be launched for execution when opening the infected section with Windows Explorer:

< infected section name>:\autorun.inf

The file "autorun.inf" contents are as follows:

[AutoRun]
ShellExecute=zPharaoh.exe
shell\open\command=zPharaoh.exe
shell\explore\command=zPharaoh.exe
open=zPharaoh.exe

The hidden, system and read-only attributes are assigned to the created files.

Propagation

To spread via CD-RW drives, the worm copies itself to the following folder using embedded tools for Windows:

%UserProfile%\Local Settings\Application Data\Microsoft\CD Burning\zPharaoh.exe

The worm creates a copy of its file in the following directory and also puts in the directory the accompanying file which enables the worm to be automatically executed:

%UserProfile%\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf

The hidden, system and read-only attributes are assigned to the files.

It copies itself to the sub-catalogs with the catalog’s name and names randomly selected from the following list:

WinrRarSerialInstall.exe
NokiaN73Tools.exe
Make Windows Original.exe
Office2003 CD-Key.doc.exe
Office2007 Serial.txt.exe
KasperSky6.0 Key.doc.exe
JetAudio dump.exe
InstallMSN11Ar.exe
InstallMSN11En.exe
Lock Folder.exe
Crack_GoogleEarthPro.exe
AmericanOnLine.exe
msjavx86.exe
FloppyDiskPartion.exe
HP_LaserJetAllInOneConfig.exe
Recycle Bin.exe
Microsoft Windows Network.exe
Adjust Time.exe
MakeUrOwnFamilyTree.exe
WindowsXp StartMenu Settings.exe
LockWindowsPartition.exe
Win98compatibleXP.exe
ShowDesktop.exe
BrowseAllUsers.exe
Disk Defragmenter.exe
CD Burner.exe
FaxSend.exe
RecycleBinProtect.exe
IDE Conector P2P.exe
Windows Keys Secrets.exe
Microsoft MSN.exe
Sony Erikson DigitalCam.exe
Antenna2Net.exe
RadioTV.exe
GoogleToolbarNotifier.exe
PanasonicDVD_DigitalCam.exe
My Documents                                      .exe
Readme.doc .exe
My documents .exe

The worm can use these names when sending emails.

The worm creates a RAR archive containing a copy of itself with one of the following names:

windows.rar
office_crack.rar
serials.rar
passwords.rar
windows_secrets.rar
source.rar
imp_data.rar
documents_backup.rar
backup.rar
MyDocuments.rar

The worm reads the following registry key to find the route to the WinRAR application:

[HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\WinRAR.exe]

If no archiver client is installed on the computer, the worm uses an encrypted RAR-archive containing the worm copy with the following name:

Readme.doc .exe

The worm does not send any emails to addresses containing the following strings in their names:

MICROSOFT
KASPER
PANDA

Before sending emails, the worm checks for a connection to the Internet visiting the following URLs:

http://www.hotmail.com

http://www.britishcouncil.com

http://www.microsoft.com

http://www.yahoo.com

The worm uses several templates to format emails:

Subject:

ABOUT PEOPLE WITH WHOM MATRIMONY IS PROHIBITED

Message body:

1: If a man commits adultery with a woman, then it is not permissible for him to marry her mother or her daughters.

2: If a woman out of sexual passion and with evil intent commits sexual intercourse with a man, then it is not permissible for the mother or daughters of that woman to merry that man. In the same way, the man who committed sexual intercourse with a woman, because prohibited for her mother and daughters.

Download the attached article to read.

Attachment:

PROHIBITED_MATRIMONY.rar

Subject:

Windows secrets

Message body:

The attached article is on

how to make a folder password

. If your are interested in this article download it, if you are not delete it.

Attachment:

FolderPW_CH(1).rar

Subject:

Canada immigration

Message body:

The debate is no longer about whether Canada should remain open to immigration. That debate became moot when Canadians realized that low birth rates and an aging population would eventually lead to a shrinking populace. Baby bonuses and other such incentives couldn't convince Canadians to have more kids, and demographic experts have forecasted that a Canada without immigration would pretty much disintegrate as a nation by 2050.

Download the attached file to know about the required forms.

The sender of this email got this article from our side and forwarded it to you.

Attachment:

IMM_Forms_E01.rar

Subject:

Viruses history

Message body:

Nowadays, the viruses have become one of the most dangerous systems to attack the computers. There are a lot of kinds of viruses. The common and popular kind is called

Trojan.Backdoor

 which runs as a backdoor of the victim machine. This enables the virus to have a full remote administration of the victim machine. To read the full story about the viruses history since 1970 download the attached  and decompress It by WinRAR.

The sender has red the story and forwarded it to you.

Attachment:

virushistory.rar

Subject:

Web designer vacancy

Message body:

Fortunately, we have recently received your CV/Resume from moister web site

and we found it matching the job requirements we offer.

If your are interested in this job Please send us an updated CV showing the required items with the attached file that we sent.

Thanks

 Regards,

Ajy Bokra

Computer department.

AjyBokra@webconsulting.com

Attachment:

JobDetails.rar

Subject:

MBA new vision

Message body:

MBA (Master of business administration ) one of the most required degree around the world. We offer a lot of books helping you to gain this degree. We attached one of our .doc word formatted books on

Marketing basics

 to download.

Our web site tazeunv.edu.cr/mba/info.htm

Contacts:

Human resource

Ajy klaf

AjyKolav@tazeunv.com

The sender has added your name to be informed with our services.

Attachment:

Marketing.rar

Subject:

problemo

Message body:

When I had opened your last email I received some errors have been saved in the attached file.

Please inform me with those errors as soon as possible.

Attachment:

оutlooklog.rar

Subject:

hi

Message body:

notes.rar

Unfortunately, I received unformatted email with an attached file from you. I couldn't understand what is behind the words.

I wish you next time send me a readable file!.I forwarded the attached file again to evaluate your self.

Attachment:

doc2.rar

The worm gets a list of IP addresses of the computers the worm most recently attempted to infect and copies itself to those shared resources.

The worm attempts to copy itself to the following folders of the networked computers:

<IP address>\c$\Documents and Settings
<IP address>\Start Menu\Programs\Startup

It uses the following usernames:

Administrator
Anonymous

The worm constructs passwords by combining the following characters, including spaces:

abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789

Removal Recommendations

  1. Using Task Manager (How to End a Process with the Task Manager) terminate the process:
  2. tazebama.dl_

  3. Delete files:
  4. C:\Documents and Settings\tazebama.dll
    %Documents and Settings%\tazebama.dl_
    %Documents and Settings%\hook.dl_
    <infected section name>:\zPharaoh.exe
    < infected section name>:\autorun.inf
    %UserProfile%\Local Settings\Application Data\Microsoft\CD Burning\zPharaoh.exe
    %UserProfile%\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf

  5. Delete the folder:
  6. %UserProfile%\Application Data\tazebama

  7. Restore original values of the registry keys, if required:
  8. [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "Hidden"
    "HideFileExt"
    "ShowSuperHidden"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoDriveTypeAutoRun"

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoDriveTypeAutoRun"

  9. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).