On May 29th 2003 there was a new attempt to distribute this
trojan. This variant carries the script code in a file called
error.hta. Once executed it drops a binary trojan. F-Secure
Anti-Virus detects with the current updates both: the script
component as VBS/Inor.B and the dropped binary as
TrojanDownloader.Win32.Inor
UPDATE ON 7th OF MAY 2003
A new distribution of Maz has been found on May 7th, 2003. This
time it uses file called error.hta. F-Secure Anti-Virus detects
this file as VBS/Inor.B
UPDATE ON 23rd OF JANUARY 2003
A new attempt to distribute the Maz/Jeem backdoor was done on January
23rd, 2003. This time the malware author massmailed thousands of e-mails
with the subject field "Mail delivery failed: returning message to sender".
These messages contained an attachment called "messages.hta". This was
a VBScript script which unpacked the Maz binary as C:\MWARE.EXE and executed it.
F-Secure Anti-Virus detects and blocks this binary as TrojanDownloader.Win32.Inor.
This binary attempted to download an additional file UNWISE.EXE
from a page at ADDR.COM. This page is currently in process of being
taken down. UNWISE.EXE is still under analysis but it seems to do additional
mailing from "qqqq@chat.ru".
F-Secure Anti-Virus detects "messages.hta" as
VBS/Inor.B
and the dropped binary "C:\MWARE.EXE" as
TrojanDownloader.Win32.Inor
We will continue to monitor the situation.
DESCRIPTION
The case known as Maz or Masteraz is an attempt of hackers to
infect a large amount of computer with a backdoor. For this
purpose a large amount of emails was sent out. These emails
contain an attachment (Masteraz.exe in case of Maz.A or
Jimkre.exe in case of Maz.B) that downloads a backdoor from a web
location. People who ran those downloaders became infected with
Jeem backdoor.
The downloaded backdoor has a data stealing capabilities. It
consists of two parts - a downloader called Inor and a backdoor
called Jeem.
For more information on Jeem and Inor see the following
description:
![](/images/pixel.gif"){kind=tracking}
