Content

W32/Mabezat.a

Type
Virus
SubType
Win32
Discovery Date
11/12/2007
Length
Minimum DAT
5161 (11/12/2007)
Updated DAT
5760 (10/03/2009)
Minimum Engine
5.2.00
Description Added
11/12/2007
Description Modified
10/07/2008 3:53 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

In addition to dropping the following files onto removable media or network shares.

  • [DRIVE]:\zPharaoh.exe
  • [DRIVE]:\autorun.inf

    • The worm also attempts to copy itself through network shares protected by weak passwords using the following user names:

    • anonymous
    • administrator

    Then the worm copies itself to the network shares using the following file names:

    • My documents .exe
    • Readme.doc .exe

    Then the worm searches for .exe files on the compromised computer and infects them by performing the following actions:

    • Encrypts the original files contents 
    • Updates the files new resource data, so that it displays the icon of the original file.

    The worm then searches for data files on the infected system and encrypts them.

  • .hlp
  • .pdf
  • .html
  • .txt  
  • .aspx
  • .psd
  • .rtf
  • .htm
  • .ppt
  • .php
  • .asp 
  • .cpp
  • .xls
  • .doc
  • .pdf
  • .mdb

    • Symptoms

  • Presence of the files and registry entries mentioned earlier
  • Presence of the following autorun.inf file on the root of removable, fixed and network drives:

    •          

    Method of Infection

    W32/Mazebat.a is a blended threat combining polymorphic worm, polymorphic virus and Autorun.worm bevahiour into a single threat.

    In addition it displays common traits with other Ransonware samples.

     

    Removal

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    W32/Mazebat.a is a blended threat and enhanced version of the original W32/Mazebat worm.

    For worm details see W32/Mazebat VIL:

    http://vil.nai.com/vil/content/v_143555.htm

    Characteristics

    Characteristics -

    In addition to dropping the following files onto removable media or network shares.

  • [DRIVE]:\zPharaoh.exe
  • [DRIVE]:\autorun.inf

    • The worm also attempts to copy itself through network shares protected by weak passwords using the following user names:

    • anonymous
    • administrator

    Then the worm copies itself to the network shares using the following file names:

    • My documents .exe
    • Readme.doc .exe

    Then the worm searches for .exe files on the compromised computer and infects them by performing the following actions:

    • Encrypts the original files contents 
    • Updates the files new resource data, so that it displays the icon of the original file.

    The worm then searches for data files on the infected system and encrypts them.

  • .hlp
  • .pdf
  • .html
  • .txt  
  • .aspx
  • .psd
  • .rtf
  • .htm
  • .ppt
  • .php
  • .asp 
  • .cpp
  • .xls
  • .doc
  • .pdf
  • .mdb

    • Symptoms

    Symptoms -

  • Presence of the files and registry entries mentioned earlier
  • Presence of the following autorun.inf file on the root of removable, fixed and network drives:

    •          

    Method of Infection

    Method of Infection -

    W32/Mazebat.a is a blended threat combining polymorphic worm, polymorphic virus and Autorun.worm bevahiour into a single threat.

    In addition it displays common traits with other Ransonware samples.

     

    Removal -

    Removal -

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A