Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Maz


Aliases:


Maz
Masteraz. Maz.A, Maz.B, Inor, VBS/Inor.B

Malware
Backdoor
W32

Summary

The case known as Maz or Masteraz is an attempt of hackers to infect a large amount of computer with a backdoor. For this purpose a large amount of emails was sent out. These emails contain an attachment (Masteraz.exe in case of Maz.A or Jimkre.exe in case of Maz.B) that downloads a backdoor from a web location. People who ran those downloaders became infected with Jeem backdoor.


UPDATE ON 29th OF MAY 2003

On May 29th 2003 there was a new attempt to distribute this trojan. This variant carries the script code in a file called error.hta. Once executed it drops a binary trojan. F-Secure Anti-Virus detects with the current updates both: the script component as VBS/Inor.B and the dropped binary as TrojanDownloader.Win32.Inor


UPDATE ON 7th OF MAY 2003

A new distribution of Maz has been found on May 7th, 2003. This time it uses file called error.hta. F-Secure Anti-Virus detects this file as VBS/Inor.B


UPDATE ON 23rd OF JANUARY 2003

A new attempt to distribute the Maz/Jeem backdoor was done on January 23rd, 2003. This time the malware author massmailed thousands of e-mails with the subject field "Mail delivery failed: returning message to sender".

These messages contained an attachment called "messages.hta". This was a VBScript script which unpacked the Maz binary as C:\MWARE.EXE and executed it. F-Secure Anti-Virus detects and blocks this binary as TrojanDownloader.Win32.Inor. This binary attempted to download an additional file UNWISE.EXE from a page at ADDR.COM. This page is currently in process of being taken down. UNWISE.EXE is still under analysis but it seems to do additional mailing from "qqqq@chat.ru".

F-Secure Anti-Virus detects "messages.hta" as VBS/Inor.B

and the dropped binary "C:\MWARE.EXE" as TrojanDownloader.Win32.Inor

We will continue to monitor the situation.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

The downloaded backdoor has a data stealing capabilities. It consists of two parts - a downloader called Inor and a backdoor called Jeem.

For more information on Jeem and Inor see the following description: http://www.f-secure.com/v-descs/jeem.shtml

F-Secure Anti-Virus detects both components as: TrojanDownloader.Win32.Inor and Trojan.PSW.Jeem





Technical Details: F-Secure AV Research Team; November 13th, 2002 - May 29th, 2003



Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Disinfect your PC




F-Secure Anti-Virus will disinfect your PC and remove all harmful files