PE_MABEZAT.SM

This file infector arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It infects by appending its code to target host files.

It propagates via shared networks and drops copies of itself into available networks. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

Arrival Details

This file infector arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This file infector drops the following copies of itself into the affected system:

• %System Root%\Documents and Settings\hook.dl_
• %System Root%\Documents and Settings\tazebama.dl_

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

• %User Profile%\Application Data\tazebama

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Other System Modifications

This file infector modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"

(Note: The default value data of the said registry entry is "1".)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = "1"

(Note: The default value data of the said registry entry is "0".)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is "1".)

It deletes the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoDriveTypeAutoRun =

File Infection

This file infector infects the following file types:

• .lnk
• .scr
• .exe

It infects by appending its code to target host files.

Propagation

This file infector propagates via shared networks and drops copies of itself into available networks.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[AutoRun]
ShellExecute=zPharaoh.exe
shell\open\command=zPharaoh.exe
shell\explore\command=zPharaoh.exe
open=zPharaoh.exe

It avoids sending email messages to addresses containing the following strings:

• Microsoft
• Kasper
• Panda

It sends the following message(s):

Subject: ABOUT PEOPLE WITH WHOM MATRIMONY IS PROHIBITED
Message Body: 1 : If a man commits adultery with a woman, then it is not permissible for him to marry her mother or her daughters.
2 : If a woman out of sexual passion and with evil intent commits sexual intercourse with a man, then it is not permissible for the mother or daughters of that woman to merry that man. In the same way, the man who committed sexual intercourse with a woman, because prohibited for her mother and daughters.
Download the attached article to read.
Attachment: PROHIBITED_MATRIMONY.rar

Subject: Windows secrets
Message Body: The attached article is on
how to make a folder password
. If your are interested in this article download it, if you are not delete it.
Attachment: FolderPW_CH(1).rar

Subject:Canada immigration
Message Body: The debate is no longer about whether Canada should remain open to immigration. That debate became moot when Canadians realized that low birth rates and an aging population would eventually lead to a shrinking populace. Baby bonuses and other such incentives couldn't convince Canadians to have more kids, and demographic experts have forecasted that a Canada without immigration would pretty much disintegrate as a nation by 2050.
Download the attached file to know about the required forms.
The sender of this email got this article from our side and forwarded it to you.
Attachment: IMM_Forms_E01.rar

Subject: Viruses history
Message Body: Nowadays, the viruses have become one of the most dangerous systems to attack the computers. There are a lot of kinds of viruses. The common and popular kind is called
Trojan.Backdoor
which runs as a backdoor of the victim machine. This enables the virus to have a full remote administration of the victim machine. To read the full story about the viruses history since 1970 download the attached and decompress It by WinRAR.
The sender has red the story and forwarded it to you.
Attachment: virushistory.rar

Subject:Web designer vacancy
Message Body: Fortunately, we have recently received your CV/Resume from moister web site
and we found it matching the job requirements we offer.
If your are interested in this job Please send us an updated CV showing the required items with the attached file that we sent.
Thanks
Regards,
Ajy Bokra
Computer department.
AjyBokra@webconsulting.com
Attachment: JobDetails.rar

Subject: MBA new vision
Message Body: MBA (Master of business administration ) one of the most required degree around the world. We offer a lot of books helping you to gain this degree. We attached one of our .doc word formatted books on
Marketing basics
to download.
Our web site http://ww w.tazeunv.edu.cr/mba/info.htm
Contacts:
Human resource
Ajy klaf
AjyKolav@tazeunv.com
The sender has added your name to be informed with our services.
Attachment: Marketing.rar

Subject: problemo
Message Body: When I had opened your last email I received some errors have been saved in the attached file.
Please inform me with those errors as soon as possible.
Attachment: utlooklog.rar

Subject: hi
Message Body: notes.rar
Unfortunately, I received unformatted email with an attached file from you. I couldn't understand what is behind the words.
I wish you next time send me a readable file!.I forwarded the attached file again to evaluate your self.
Attachment: doc2.rar

NOTES:

The infected files execute %System%\Documents and Settings\tazebama.dl_, and then executes the original code of the host file.

It searches for target files to infect by enumerating the following registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

It also searches for target files to infect in the following folders:

• %Application Data%\Microsoft\CD Burning
• %Start Menu%\Programs\Startup
• %System Root%\Documents and Settings

It also tries to drop a copy of itself in network shares by using the following user names:

• Administrator
• Anonymous

To gain access to password-protected shares, it uses passwords generated randomly. The passwords are created by combining any of the following characters and including spaces:

• abcdefghijklmnopqrstuvwxyz
• ABCDEFGHIJKLMNOPQRSTUVWXYZ
• 0123456789

It attempts to use the archiving program Winrar to archive a copy of itself when creating attachments. It does this by querying the following registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\WinRAR.exe

This file infector may use the following archive names:

• backup.rar
• documents_backup.rar
• imp_data.rar
• MyDocuments.rar
• office_crack.rar
• passwords.rar
• serials.rar
• source.rar
• windows.rar
• windows_secrets.rar

For file names for its attachment and dropped copies in removable and physical drives, this file infector may use any of the following:

• Adjust Time.exe
• AmericanOnLine.exe
• Antenna2Net.exe
• BrowseAllUsers.exe
• CD Burner.exe
• Crack_GoogleEarthPro.exe
• Disk Defragmenter.exe
• FaxSend.exe
• FloppyDiskPartion.exe
• GoogleToolbarNotifier.exe
• HP_LaserJetAllInOneConfig.exe
• IDE Conector P2P.exe
• InstallMSN11Ar.exe
• InstallMSN11En.exe
• JetAudio dump.exe
• KasperSky6.0 Key.doc.exe
• Lock Folder.exe
• LockWindowsPartition.exe
• Make Windows Original.exe
• MakeUrOwnFamilyTree.exe
• Microsoft MSN.exe
• Microsoft Windows Network.exe
• msjavx86.exe
• My Documents .exe
• My documents .exe
• NokiaN73Tools.exe
• Office2003 CD-Key.doc.exe
• Office2007 Serial.txt.exe
• PanasonicDVD_DigitalCam.exe
• RadioTV.exe
• Readme.doc .exe
• Recycle Bin.exe
• RecycleBinProtect.exe
• ShowDesktop.exe
• Sony Erikson DigitalCam.exe
• Win98compatibleXP.exe
• Windows Keys Secrets.exe
• WindowsXp StartMenu Settings.exe
• WinrRarSerialInstall.exe

It spreads to all removable drives from C:\ to Z:\ by dropping the following:

• {drive letter}:\zPharaoh.exe - copy of itself
• {drive letter}:\1.taz

It then renames 1.TAZ to {drive letter}:\autorun.inf.

It drops a copy of itself in all folders in all other physical and removable drives present other than the Windows root folder. It copies the name of the folder and uses it as the name of its dropped copy. The icon of the dropped copy resembles a folder.

It also drops the following files so that it can spread via CD when CD burning is done:

• %Application Data%\Microsoft\CD Burning\zPharaoh.exe - copy of itself
• %Application Data%\Microsoft\CD Burning\1.taz

It then renames 1.TAZ to %Application Data%\Microsoft\CD Burning\autorun.inf. This allows the burned CD to automatically execute the file infector's copy when inserted into a CD drive.

It deletes the registry value NoDriveTypeAutoRun in the following registry key to avoid easy modification of autorun settings:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

It logs it activities in the file %Application Data%\tazebama\zPharoah.dat. The said file which contains the following string as its header:

tazebama trojan log file

This file infector encrypts files when the computer date is greater than or equal to October 16, 2012. It encrypts files with the following file extensions:

• .asp
• .aspx
• .aspx
• .cpp
• .cs
• .doc
• .h
• .hlp
• .htm
• .html
• .mdb
• .mdf
• .pas
• .pdf
• .php
• .ppt
• .psd
• .rar
• .rtf
• .txt
• .xls
• .zip

It appends the string TAZEBAMA at the end of each encrypted file.