Maz

Classification

Malware

Backdoor

W32

Maz, Masteraz. Maz.A, Maz.B, Inor, VBS/Inor.B

Summary

The case known as Maz or Masteraz is an attempt of hackers to infect a large amount of computer with a backdoor. For this purpose a large amount of emails was sent out. These emails contain an attachment (Masteraz.exe in case of Maz.A or Jimkre.exe in case of Maz.B) that downloads a backdoor from a web location. People who ran those downloaders became infected with Jeem backdoor.

UPDATE ON 29th OF MAY 2003

On May 29th 2003 there was a new attempt to distribute this trojan. This variant carries the script code in a file called error.hta. Once executed it drops a binary trojan. F-Secure Anti-Virus detects with the current updates both: the script component as VBS/Inor.B and the dropped binary as TrojanDownloader.Win32.Inor

UPDATE ON 7th OF MAY 2003

A new distribution of Maz has been found on May 7th, 2003. This time it uses file called error.hta. F-Secure Anti-Virus detects this file as VBS/Inor.B

UPDATE ON 23rd OF JANUARY 2003

A new attempt to distribute the Maz/Jeem backdoor was done on January 23rd, 2003. This time the malware author massmailed thousands of emails with the subject field "Mail delivery failed: returning message to sender".

These messages contained an attachment called "messages.hta". This was a VBScript script which unpacked the Maz binary as C:\MWARE.EXE and executed it. F-Secure Anti-Virus detects and blocks this binary as TrojanDownloader.Win32.Inor. This binary attempted to download an additional file UNWISE.EXE from a page at ADDR.COM. This page is currently in process of being taken down. UNWISE.EXE is still under analysis but it seems to do additional mailing from "qqqq@chat.ru".

F-Secure Anti-Virus detects "messages.hta" as VBS/Inor.B

and the dropped binary "C:\MWARE.EXE" as TrojanDownloader.Win32.Inor

We will continue to monitor the situation.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Find out more
Knowledge Base

Find the latest advice in our Community Knowledge Base.

Product Manual

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

The downloaded backdoor has a data stealing capabilities. It consists of two parts - a downloader called Inor and a backdoor called Jeem.

For more information on Jeem and Inor see the following description: https://www.f-secure.com/v-descs/jeem.shtml

F-Secure Anti-Virus detects both components as: TrojanDownloader.Win32.Inor and Trojan.PSW.Jeem

Date Created: -

Date Last Modified: -