Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Malware Loaded Archive File Accompaniestest Job Related Spam E-mail

BitDefender UK : 04 March, 2010  (Technical Article)
BitDefender is warning job seekers to be wary of a new wave of e-mails themed on employment and containing the Win32.Worm.Mabezat.J worm within a .RAR or .ZIP file which deploys a its malware payload when opened
Win32.Worm.Mabezat.J may not be the new kid on the block, but the previous week has seen a surge of spam mail carrying carefully packed files infected with its code. Taking advantage of the precarious state of the global economy, cyber-criminals disguise their malicious payloads as legitimate job opportunities.

"In order to stay safe, computer users should ensure that they have installed a complete antimalware suite with antivirus, antispam, antiphishing and firewall protection. Never open files from unfamiliar locations," warns Catalin Cosoi, Senior Researcher at BitDefender.

The spam message comes with a variety of job-related email subjects, such as 'Web designer vacancy', 'New work for you', 'Welcome to your new work', or 'We are hiring you'. It also contains an apparently harmless attachment called winmail.dat - a file that is supposed to contain the Exchange Server® RTF information for the message, if the recipient's client cannot receive messages in Rich Text Format (RTF).

However, the winmail.dat file can be extracted with either WinRar or WinZip. This approach ensures that the user can still extract the infected file, but prevents antimalware filters on mail servers from unpacking and analyzing the contents of the archive. If extracted, the archive presents what appears to be a Word document called Readme.doc, but - at a closer look - proves to be an executable file infected with Win32.Worm.Mabezat.J.

Once opened, the alleged Readme file would open its own directory (the path where the worm is located) using Windows Explorer. The worm would also write an autorun.inf file on each drive pointing to a newly-created file called zPharaoh.exe (an instance of itself).


What is particularly important about Win32.Worm.Mabezat.J is the fact that it is also able to infect executable files by replacing the first 1768 bytes of the infected executable file with its own encrypted body. The worm always starts its infection campaign by compromising the Windows Media Player main executable, as well as some binary files in Outlook Express.

The Mabezat family is extremely dangerous: they not only have the ability to infect binary files and to occasionally destroy system files, but they can also collect email addresses from a variety of file formats (such as .XML, .PHP, .LOG, .CHM, .HLP, .CPP, .PAS, .XLS, .PPT, .PDF, .ASPX, .ASP, .HTML, .HTM, .RTF and .TXT) that it may find on the infected system. After it has compiled an e-mail list, the worm will start mass-mailing itself by using its own SMTP engine.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo