Win32/Mabezat [Threat Name] go to Threat
Win32/Mabezat.A [Threat Variant Name]
Category | virus |
Size | 155 KB |
Aliases | Worm.Win32.Mabezat.b (Kaspersky) |
W32/Mabezat (McAfee) | |
Win32/Mabezat.A (Grisoft) |
Short description
Win32/Mabezat.A is a polymorphic file infector.
Installation
When executed, the virus copies itself into the folder:
- %drive%\Documents and Settings\
with the following file names:
- tazebama.dl_
- hook.dl_
The following file is dropped in the same folder:
- tazebama.dll (32768 B)
The virus creates the following folders:
- %appdata%\tazebama\
The following Registry entries are removed:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "NoDriveTypeAutoRun"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "NoDriveTypeAutoRun"
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "Hidden" = 2
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "HideFileExt" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "ShowSuperHidden" = 0
Executable file infection
The virus infects executable files.
The virus searches for executables with one of the following extensions:
- .exe
Executables are infected by appending the code of the virus to the end of the original file.
The host file is modified in a way that causes the virus to be executed prior to running the original code.
Spreading
The virus copies itself into the root folders of all drives using the following name:
- zPharaoh.exe
The following file is dropped in the same folder:
- autorun.inf
The virus copies itself into existing folders of removable drives. The following names are used:
- Adjust Time.exe
- AmericanOnLine.exe
- Antenna2Net.exe
- BrowseAllUsers.exe
- CD Burner.exe
- Crack_GoogleEarthPro.exe
- Disk Defragmenter.exe
- FaxSend.exe
- FloppyDiskPartion.exe
- GoogleToolbarNotifier.exe
- HP_LaserJetAllInOneConfig.exe
- IDE Conector P2P.exe
- InstallMSN11Ar.exe
- InstallMSN11En.exe
- JetAudio dump.exe
- KasperSky6.0 Key.doc.exe
- Lock Folder.exe
- LockWindowsPartition.exe
- Make Windows Original.exe
- MakeUrOwnFamilyTree.exe
- Microsoft MSN.exe
- Microsoft Windows Network.exe
- msjavx86.exe
- NokiaN73Tools.exe
- Office2003 CD-Key.doc.exe
- Office2007 Serial.txt.exe
- PanasonicDVD_DigitalCam.exe
- RadioTV.exe
- Recycle Bin.exe
- RecycleBinProtect.exe
- ShowDesktop.exe
- Sony Erikson DigitalCam.exe
- Win98compatibleXP.exe
- Windows Keys Secrets.exe
- WindowsXp StartMenu Settings.exe
- WinrRarSerialInstall.exe
The name of the file may be based on the name of an existing file or folder.
The extension of the file is ".exe" .
Other information
If the current system date matches the condition, files with the following file extension will be encrypted:
- .ASP
- .ASPX
- .ASPX.CS
- .BAS
- .C
- .CPP
- .DOC
- .H
- .HLP
- .HTM
- .HTML
- .MDB
- .MDF
- .PAS
- .PHP
- .PPT
- .PSD
- .RAR
- .RTF
- .TXT
- .XLS
- .ZIP
The virus may create copies of itself in the folder:
- %userprofile%\Local Settings\Application Data\Microsoft\CD Burning\
The following filename is used:
- zPharaoh.exe
The following files may be dropped in the same folder:
- autorun.inf
The virus may delete files stored in the following folders:
- %userprofile%\Local Settings\Application Data\Microsoft\CD Burning\
The virus may create the text file:
- %appdata%\tazebama\zPharaoh.dat
The virus may create the following files in the %drive%\Documents and Settings\ folder:
- MyDocuments.rar
- backup.rar
- documents_backup.rar
- imp_data.rar
- source.rar
- windows_secrets.rar
- passwords.rar
- serials.rar
- office_crack.rar
- windows.rar
The archive contains an executable file.
The file is a part of the infiltration.