W32/Mabezat-A

Category: Viruses and Spyware Protection available since:10 Nov 2007 14:20:45 (GMT)
Type: Win32 executable file virus Last Updated:10 Nov 2007 14:20:45 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Mabezat-A is a virus for the Windows platform which also spreads by copying itself to network shares and removable devices.

W32/Mabezat-A is a virus for the Windows platform which also spreads by copying itself to network shares and removable devices.

W32/Mabezat-A copies itself to removable devices with one or more of the following filenames:

"My documents .exe"
"Readme.doc .exe"
"tazebama.exe"

Note, the above filenames may have sevetal space characters inserted between the stub and the extension in the hope that the user will not notice the EXE extension and click on the file which will appear as a folder in Explorer.

When W32/Mabezat-A is installed the following files are created:

<System>\salo.exe - copy of the virus dropper
<Root>\1.txt - innocuous LOG file of the virus' activities

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit,salo.exe

The virus may also encrypt files (simple addition of 0x10 to every byte) with the following extensions: HLP, PDF,HTML, TXT, ASPX.CS, ASPX, PSD, MDF, RTF, HTM, PPT, PHP, ASP, PAS, H, CPP, XLS, DOC, RAR, ZIP and MDB.

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy