high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 10 November 2007 14:58:09 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for disinfecting PE executables.
More Information
W32/Mabezat-A is a virus for the Windows platform which also spreads by copying itself to network shares and removable devices.
W32/Mabezat-A is a virus for the Windows platform which also spreads by copying itself to network shares and removable devices.W32/Mabezat-A copies itself to removable devices with one or more of the following filenames:
"My documents .exe"
"Readme.doc .exe"
"tazebama.exe"
Note, the above filenames may have sevetal space characters inserted between the stub and the extension in the hope that the user will not notice the EXE extension and click on the file which will appear as a folder in Explorer.
When W32/Mabezat-A is installed the following files are created:
<System>\salo.exe - copy of the virus dropper
<Root>\1.txt - innocuous LOG file of the virus' activities
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit,salo.exe
The virus may also encrypt files (simple addition of 0x10 to every byte) with the following extensions: HLP, PDF,HTML, TXT, ASPX.CS, ASPX, PSD, MDF, RTF, HTM, PPT, PHP, ASP, PAS, H, CPP, XLS, DOC, RAR, ZIP and MDB.
|
