Malware City/Blog/

Mar
02
Filed Under:
ALERTS

Malware Alert: Win32.Worm.Mabezat.J is Hiring!

02 March 2010
Win32.Worm.Mabezat.J may not be the new kid around the block, but the previous week surely saw a surge of spam mail carrying carefully packed files infected with its code. Taking advantage of the precarious state of the global economy, cyber-criminals disguise their malicious payloads as legitimate job opportunities.

The spam message comes with a variety of job-related email subjects, such as Web designer vacancy,
New work for you, Welcome to your new work, or We are hiring you. It also contains an apparently harmless attachment called winmail.dat (a file that is supposed to contain the Exchange Server® RTF information for the message, if the recipient's client cannot receive messages in Rich Text Format (RTF).

Web Designer vacancy mail - malware

However, the winmail.dat file can be extracted with either WinRar® or WinZipTM. This approach ensures that the user still can extract the infected file, but prevents antimalware filters on mail servers from unpacking and analyzing the contents of the archive. If extracted, the archive presents what appears to be a Word document called Readme.doc, but - at a closer look - proves to be an executable file infected with Win32.Worm.Mabezat.J.

Once opened, the alleged Readme file would open its own directory (the path where the worm is located) using Windows® Explorer. The worm would also write an autorun.inf file on each drive pointing to a newly-created file called zPharaoh.exe (an instance of itself).

What is particularly important about Win32.Worm.Mabezat.J is the fact that it is also able to infect executable files by replacing the first 1768 bytes of the infected executable file with its own encrypted body. The worm always starts its infection campaign by compromising the Windows Media Player main executable, as well as some binary files in Outlook® ExpressTM.

The Mabezat family is extremely dangerous: its members not only that have the ability to infect binary files and to occasionally destroy system files, but they can also collect email addresses from a variety of file formats (such as .XML, .PHP, .LOG, .CHM, .HLP, .CPP, .PAS, .XLS, .PPT, .PDF, .ASPX, .ASP, .HTML, .HTM, .RTF and .TXT) it may find on the infected system. After it has compiled a e-mail list, the worm would start mass-mailing itself by using its own SMTP engine.

In order to stay safe, BitDefender® recommends that you download, install and update a complete antimalware suite with antivirus, antispam, antiphishing and firewall protection and to manifest extra caution when prompted to open files from unfamiliar locations.





By Bogdan Botezatu
Bogdan never trusts anything until it is disassembled into small pieces and carefully inspected. The passion for writing and the almost obsessive attention to details are some of his greatest qualities and, at the same time, some of his greatest flaws.

Related

01-03-2010 | Malware downloads on the podium in Vancouver 2010 queries

11-02-2010 | Cute Valentine’s Day ideas: a Trojan

09-02-2010 | Phishing raids aiming at Visa® card holders multiply

08-02-2010 | Super Bowl 2010: and the winner is… a rogue antivirus!

Comment on this

Name:

Email:

Website:

Your email adress will not be published.