PE_MABEZAT.B-O

Este malware infecta anexando su código a los archivos host de destino.

Se propaga a través de las redes compartidas e infiltra copias de sí mismo en las redes disponibles. Infiltra un archivo AUTORUN.INF para que ejecute automáticamente las copias que infiltra cuando un usuario accede a las unidades de un sistema afectado.

Instalación

Este malware infiltra el/los siguiente(s) archivo(s)/componente(s):

• %System Root%\Documents and Settings\tazebama.dll - detected as WORM_MABEZAT.AW
• %User Profile%\Application Data\tazebama\tazebama.log - contains logs
• %User Profile%\Application Data\tazebama\zPharaoh.dat - contains logs

(Nota: %System Root% es la carpeta raíz, normalmente C:\. También es la ubicación del sistema operativo).

Crea las siguientes copias de sí mismo en el sistema afectado:

• %System Root%\Documents and Settings\hook.dl_
• %System Root%\Documents and Settings\tazebama.dl_

(Nota: %System Root% es la carpeta raíz, normalmente C:\. También es la ubicación del sistema operativo).

Crea las carpetas siguientes:

• %User Profile%\Application Data\tazebama

(Nota: %User Profile% es la carpeta de perfil del usuario activo, que en el caso de Windows 98 y ME suele estar en C:\Windows\Profiles\{nombre de usuario}, en el caso de Windows NT en C:\WINNT\Profiles\{nombre de usuario} y en el caso de Windows 2000, XP y Server 2003 en C:\Documents and Settings\{nombre de usuario}).

Otras modificaciones del sistema

Modifica las siguientes entradas de registro:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"

(Note: The default value data of the said registry entry is "1".)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = "1"

(Note: The default value data of the said registry entry is "0".)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is "1".)

Elimina las siguientes claves de registro:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoDriveTypeAutoRun =

Infección de archivo

Infecta los siguientes tipos de archivo:

• .lnk
• .scr
• .exe

Este malware infecta anexando su código a los archivos host de destino.

Propagación

Se propaga a través de las redes compartidas e infiltra copias de sí mismo en las redes disponibles.

Infiltra un archivo AUTORUN.INF para que ejecute automáticamente las copias que infiltra cuando un usuario accede a las unidades de un sistema afectado.

Evita enviar mensajes de correo electrónico a direcciones que contienen las cadenas siguientes:

• Microsoft
• Kasper
• Panda

Este malware envía el/los siguiente(s) mensaje(s):

Subject: ABOUT PEOPLE WITH WHOM MATRIMONY IS PROHIBITED
Message Body: 1 : If a man commits adultery with a woman, then it is not permissible for him to marry her mother or her daughters.
2 : If a woman out of sexual passion and with evil intent commits sexual intercourse with a man, then it is not permissible for the mother or daughters of that woman to merry that man. In the same way, the man who committed sexual intercourse with a woman, because prohibited for her mother and daughters.
Download the attached article to read.
Attachment: PROHIBITED_MATRIMONY.rar

Subject: Windows secrets
Message Body: The attached article is on
how to make a folder password
. If your are interested in this article download it, if you are not delete it.
Attachment: FolderPW_CH(1).rar

Subject:Canada immigration
Message Body: The debate is no longer about whether Canada should remain open to immigration. That debate became moot when Canadians realized that low birth rates and an aging population would eventually lead to a shrinking populace. Baby bonuses and other such incentives couldn't convince Canadians to have more kids, and demographic experts have forecasted that a Canada without immigration would pretty much disintegrate as a nation by 2050.
Download the attached file to know about the required forms.
The sender of this email got this article from our side and forwarded it to you.
Attachment: IMM_Forms_E01.rar

Subject: Viruses history
Message Body: Nowadays, the viruses have become one of the most dangerous systems to attack the computers. There are a lot of kinds of viruses. The common and popular kind is called
Trojan.Backdoor
which runs as a backdoor of the victim machine. This enables the virus to have a full remote administration of the victim machine. To read the full story about the viruses history since 1970 download the attached and decompress It by WinRAR.
The sender has red the story and forwarded it to you.
Attachment: virushistory.rar

Subject:Web designer vacancy
Message Body: Fortunately, we have recently received your CV/Resume from moister web site
and we found it matching the job requirements we offer.
If your are interested in this job Please send us an updated CV showing the required items with the attached file that we sent.
Thanks
Regards,
Ajy Bokra
Computer department.
AjyBokra@webconsulting.com
Attachment: JobDetails.rar

Subject: MBA new vision
Message Body: MBA (Master of business administration ) one of the most required degree around the world. We offer a lot of books helping you to gain this degree. We attached one of our .doc word formatted books on
Marketing basics
to download.
Our web site http://ww w.tazeunv.edu.cr/mba/info.htm
Contacts:
Human resource
Ajy klaf
AjyKolav@tazeunv.com
The sender has added your name to be informed with our services.
Attachment: Marketing.rar

Subject: problemo
Message Body: When I had opened your last email I received some errors have been saved in the attached file.
Please inform me with those errors as soon as possible.
Attachment: utlooklog.rar

Subject: hi
Message Body: notes.rar
Unfortunately, I received unformatted email with an attached file from you. I couldn't understand what is behind the words.
I wish you next time send me a readable file!.I forwarded the attached file again to evaluate your self.
Attachment: doc2.rar