Threat Description

Maz

Details

Aliases:Maz, Masteraz. Maz.A, Maz.B, Inor, VBS/Inor.B
Category:Malware
Type:Backdoor
Platform:W32

Summary



The case known as Maz or Masteraz is an attempt of hackers to infect a large amount of computer with a backdoor. For this purpose a large amount of emails was sent out. These emails contain an attachment (Masteraz.exe in case of Maz.A or Jimkre.exe in case of Maz.B) that downloads a backdoor from a web location. People who ran those downloaders became infected with Jeem backdoor.

UPDATE ON 29th OF MAY 2003

On May 29th 2003 there was a new attempt to distribute this trojan. This variant carries the script code in a file called error.hta. Once executed it drops a binary trojan. F-Secure Anti-Virus detects with the current updates both: the script component as VBS/Inor.B and the dropped binary as TrojanDownloader.Win32.Inor

UPDATE ON 7th OF MAY 2003

A new distribution of Maz has been found on May 7th, 2003. This time it uses file called error.hta. F-Secure Anti-Virus detects this file as VBS/Inor.B

UPDATE ON 23rd OF JANUARY 2003

A new attempt to distribute the Maz/Jeem backdoor was done on January 23rd, 2003. This time the malware author massmailed thousands of e-mails with the subject field "Mail delivery failed: returning message to sender".

These messages contained an attachment called "messages.hta". This was a VBScript script which unpacked the Maz binary as C:\MWARE.EXE and executed it. F-Secure Anti-Virus detects and blocks this binary as TrojanDownloader.Win32.Inor. This binary attempted to download an additional file UNWISE.EXE from a page at ADDR.COM. This page is currently in process of being taken down. UNWISE.EXE is still under analysis but it seems to do additional mailing from "qqqq@chat.ru".

F-Secure Anti-Virus detects "messages.hta" as VBS/Inor.B

and the dropped binary "C:\MWARE.EXE" as TrojanDownloader.Win32.Inor

We will continue to monitor the situation.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



The downloaded backdoor has a data stealing capabilities. It consists of two parts - a downloader called Inor and a backdoor called Jeem.

For more information on Jeem and Inor see the following description: http://www.f-secure.com/v-descs/jeem.shtml

F-Secure Anti-Virus detects both components as: TrojanDownloader.Win32.Inor and Trojan.PSW.Jeem





Technical Details: F-Secure AV Research Team; November 13th, 2002 - May 29th, 2003


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Disinfect your PC

F-Secure Anti-Virus will disinfect your PC and remove all harmful files

Learn More