Today technology is always advancing, the same could be said about malware like viruses, spyware and various
worms. It is likely that the fight against computer worms and viruses began with the birth of the virtual world. According to technical experts worm and virus attacks have become part of an industry. In this context, a virus by the name of Virus:Win32/Mabezat.B has caught our attention. It is a polymorphic virus that infects PE files. Be ready to resist this enemy infection or risk to having your system and the network damaged!
Considered as a standalone malicious program, Virus:Win32/Mabezat.B uses computer or network resources to create full copies of itself. Another point is that the virus attempts to propagate via file infection, network shares, removable drives and through CD-burning. It is worth noting that Virus:Win32/Mabezat.B includes a date-based payload that tries to encrypt files with definite extensions. Due to the fact that the worm has the ability to infect executable files, it appears to be a polymorphic file infecting virus.
| Name: Worm:W32/Mabezat.B | |
| Detection Names: Worm.Win32.Mabezat.b Mabezat.B |
|
| Category: Malware | |
| Type: Worm | |
| Type: Virus | |
| Platform: W32 |
Table 1. Details of the virus
The worm will drop the following files into the system root drives when executed:
- %root%\autorun.inf
- %root%\zPharaoh.exe
Note, that the autorun.inf file includes the following code:
- [AutoRun]
ShellExecute=zPharaoh.exe
shell\open\command=zPharaoh.exe
shell\explore\command=zPharaoh.exe
open=zPharaoh.exe
The above process helps to automatically execute zPharaoh.exe which has the worm’s executable code. Altogether, it enables the malware to spread via removable drives.
Then, the virus creates the following folder:
- C:\Documents and Settings\%currently logged-in user%\Application Data\tazebama
Also, it may drop the file zPharaoh.dat into it.
It was discovered that Mazebat.B aims to infect files in a polymorphic way by appending data to a section of clean file code, and transferring the whole section together with the data that is appended. For this reason the changed code will vary in every infected file. More than that, the virus will include garbage code to the file to ‘pad’ it and in this way intensifying its polymorphizm.
Additionally, the worm tends to modify the Registry to disable particular functions. So, it will get rid of this registry entry so that Autoplay is turned off:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun = 00000091
It creates this entry:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden = 00000000
Below are the alias names of Worm:W32/Mabezat.B.
| lAlias names |
| Win32/Mabezat Worm/Mabezat.B W32/Worm!a69a Win32:Mabezat Worm/Generic.EDT Win32.Worm.Mabezat.J W32.Mabezat.Dr W32.Mabezat-2 Win32.HLLW.Tazebama Win32.Mabezat.b Win32/Mabezat.B Worm.Mabezat.b W32/Worm!a69a Worm.Win32.Mabezat.b W32/Mabezat.B Worm.Win32.Mabezat.b |
| Virus:Win32/Mabezat.B Win32/Mabezat.A Mabezat.B W32/Mabezat.C.worm Worm.Mabezat.A Worm Win32.Mabezat.b W32/Mabezat-B Worm.Win32.Agent.PYR W32.Mabezat.B PE_MABEZAT.B-O Worm.Win32.Mabezat.b Worm.Win32.Mabezat.154751 Worm.Mabezat.A Worm.Mabezat.B |
Unfortunately, malware is sophisticated nowadays and identifying it is not an easy task. Therefore, you should know the possible symptoms of the infection Worm:W32/Mabezat.B.
Resources:
Alias names of the worm
Introducing W32.Mabezat.B
Summary on the computer threat
Aug 6, 2010 at 20:59:24
hi
thank u sister fot this info but is not all becuse file virus is hard deleted
http://img836.imageshack.us/img836/227/004reg.jp g
http://img829.imageshack.us/img829/3789/005masar .jpg
from my pc