F-Secure
Tools
Worm:W32/Mabezat
Summary
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
Disinfection
Automatic Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Network Disinfection
For general instructions on disinfecting a local network infection, please see Eliminating A Local Network Outbreak.
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Network Disinfection
For general instructions on disinfecting a local network infection, please see Eliminating A Local Network Outbreak.
Additional Details
Worm:W32/Mabezat is a family of worms that spreads through infected e-mail attachments, removable drives and network shares. The worm is also capable of functioning as a polymorphic file infecting virus, as it is able to infect executable files.
The technical details below refer to the Worm:W32/Mabezat.B variant, which is the most prevalent variant in the wild.
Installation
On execution, the worm drops the following files into the system root drives:
The autorun.inf file contains the following code:
The above process is used to automatically execute zPharaoh.exe, which contains the worm's executable code. It also makes the malware capable of propagating via removable drives.
The virus also creates the following folder:
And may drop the file zPharaoh.dat into it.
Infection
Mazebat.B infects files in a polymorphic manner by appending data to a section of clean file code, then relocating the entire section together with the appended data. This action means that the altered code differs in every infected file.
The virus also adds garbage code to the file to 'pad' it and increase its polymorphism.
Registry
The worm modifies the Registry to disable certain functions.
It deletes this registry entry so that Autoplay is turned off:
It also creates this entry:
The technical details below refer to the Worm:W32/Mabezat.B variant, which is the most prevalent variant in the wild.
Installation
On execution, the worm drops the following files into the system root drives:
- %root%\autorun.inf
- %root%\zPharaoh.exe
The autorun.inf file contains the following code:
- [AutoRun]
ShellExecute=zPharaoh.exe
shell\open\command=zPharaoh.exe
shell\explore\command=zPharaoh.exe
open=zPharaoh.exe
The above process is used to automatically execute zPharaoh.exe, which contains the worm's executable code. It also makes the malware capable of propagating via removable drives.
The virus also creates the following folder:
- C:\Documents and Settings\%currently logged-in user%\Application Data\tazebama
And may drop the file zPharaoh.dat into it.
Infection
Mazebat.B infects files in a polymorphic manner by appending data to a section of clean file code, then relocating the entire section together with the appended data. This action means that the altered code differs in every infected file.
The virus also adds garbage code to the file to 'pad' it and increase its polymorphism.
Registry
The worm modifies the Registry to disable certain functions.
It deletes this registry entry so that Autoplay is turned off:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun = 00000091
It also creates this entry:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden = 00000000