Today technology is always advancing, the same could be said about malware like viruses, spyware and various worms. It is likely that the fight against computer worms and viruses began with the birth of the virtual world. According to technical experts worm and virus attacks have become part of an industry. In this context, a virus by the name of Virus:Win32/Mabezat.B has caught our attention. It is a polymorphic virus that infects PE files. Be ready to resist this enemy infection or risk to having your system and the network damaged!
Considered as a standalone malicious program, Virus:Win32/Mabezat.B uses computer or network resources to create full copies of itself. Another point is that the virus attempts to propagate via file infection, network shares, removable drives and through CD-burning. It is worth noting that Virus:Win32/Mabezat.B includes a date-based payload that tries to encrypt files with definite extensions. Due to the fact that the worm has the ability to infect executable files, it appears to be a polymorphic file infecting virus.
|Detection Names: Worm.Win32.Mabezat.b
Table 1. Details of the virus
The worm will drop the following files into the system root drives when executed:
Note, that the autorun.inf file includes the following code:
The above process helps to automatically execute zPharaoh.exe which has the worm’s executable code. Altogether, it enables the malware to spread via removable drives.
Then, the virus creates the following folder:
- C:\Documents and Settings\%currently logged-in user%\Application Data\tazebama
Also, it may drop the file zPharaoh.dat into it.
It was discovered that Mazebat.B aims to infect files in a polymorphic way by appending data to a section of clean file code, and transferring the whole section together with the data that is appended. For this reason the changed code will vary in every infected file. More than that, the virus will include garbage code to the file to ‘pad’ it and in this way intensifying its polymorphizm.
Additionally, the worm tends to modify the Registry to disable particular functions. So, it will get rid of this registry entry so that Autoplay is turned off:
NoDriveTypeAutoRun = 00000091
It creates this entry:
ShowSuperHidden = 00000000
Below are the alias names of Worm:W32/Mabezat.B.
Unfortunately, malware is sophisticated nowadays and identifying it is not an easy task. Therefore, you should know the possible symptoms of the infection Worm:W32/Mabezat.B.