ThreatExpert Report: W32.Mabezat.B, Worm.Win32.Mabezat.b, W32/Mabezat, PE

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 21 October 2012, 11:32:09
Processing time: 10 min 32 sec
Submitted sample:

File MD5: 0x6CB4B2C32DC5D0B2F8AE85D60E9927A1
File SHA-1: 0x7497CA36EC437965A7A857B3A31C7531D3DBD6B2
Filesize: 152,471 bytes
Alias:

W32.Mabezat.B [Symantec]
Worm.Win32.Mabezat.b [Kaspersky Lab]
W32/Mabezat [McAfee]
PE_MABEZAT.B-O [Trend Micro]
W32/Mabezat-B [Sophos]
Virus:Win32/Mabezat.B [Microsoft]
Win32.Worm.Mabezat [Ikarus]
Win32/Mabezat [AhnLab]

Summary of the findings:

What's been found	Severity Level
Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\autorun.inf	126 bytes	MD5: 0x91492F3350F4A1C513741F6AA8A96B5A SHA-1: 0x339820E6C5F6BA11A584E7C37C936E3778147A0A	(not available)
2	%Profiles%\hook.dl_ %Profiles%\tazebama.dl_	152,191 bytes	MD5: 0x4579D05DCF7CB551C2ADB5001E767E01 SHA-1: 0x5ED688C9EAE26B46FE4C0CE495F6CBB078599A82	W32.Mabezat.B [Symantec] Worm.Win32.Mabezat.b [Kaspersky Lab] W32/Mabezat [McAfee] PE_MABEZAT.B-O [Trend Micro] W32/Mabezat-B [Sophos] Virus:Win32/Mabezat.B [Microsoft] Trojan.Win32.Genome [Ikarus] Win32/Mabezat [AhnLab]
3	%Profiles%\tazebama.dll	32,768 bytes	MD5: 0xB6A03576E595AFACB37ADA2F1D5A0529 SHA-1: 0xD598D4D0E70DEC2FFA2849EDAEB4DB94FEDCC0B8	W32.Mabezat.B [Symantec] Worm.Win32.Mabezat.n [Kaspersky Lab] W32/Mabezat.dll [McAfee] W32/Mabezat-B [Sophos] Virus:Win32/Mabezat.B [Microsoft] Worm.Win32.Mabezat [Ikarus] Win32/Mabezat.worm.32768 [AhnLab]
4	%AppData%\tazebama\zPharaoh.dat	220 bytes	MD5: 0x9001136BF8AE9E58A91060014EE4F219 SHA-1: 0x92176F00F0F9A49A0571C8E00DF835BF4A75EC76	(not available)
5	[file and pathname of the sample #1]	152,471 bytes	MD5: 0x6CB4B2C32DC5D0B2F8AE85D60E9927A1 SHA-1: 0x7497CA36EC437965A7A857B3A31C7531D3DBD6B2	W32.Mabezat.B [Symantec] Worm.Win32.Mabezat.b [Kaspersky Lab] W32/Mabezat [McAfee] PE_MABEZAT.B-O [Trend Micro] W32/Mabezat-B [Sophos] Virus:Win32/Mabezat.B [Microsoft] Win32.Worm.Mabezat [Ikarus] Win32/Mabezat [AhnLab]
6	c:\zPharaoh.exe	154,911 bytes	MD5: 0x86FFCDF688F072A58738EA0374A85D01 SHA-1: 0x0AF115BE05809BC9D35342B65428E9E108128FFD	W32.Mabezat.B [Symantec] Worm.Win32.Mabezat.b [Kaspersky Lab] W32/Mabezat [McAfee] PE_MABEZAT.B-O [Trend Micro] W32/Mabezat-B [Sophos] Virus:Win32/Mabezat.B [Microsoft] Trojan.Win32.Genome [Ikarus] Win32/Mabezat [AhnLab]

Notes:

%Profiles% is a variable that refers to the file system directory containing user profile folders. A typical path is C:\Documents and Settings.
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

The following directory was created:

%AppData%\tazebama

Registry Modifications

The following Registry Key was created:

HKEY_CURRENT_USER\Software\Microsoft\Exchange

Other details

Analysis of the file resources indicate the following possible country of origin:

Saudi Arabia

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.