RSS Alerts

Share

More services

Related Links

  • BitDefender
  • Elsevier Ltd is not responsible for the content of external websites.

Related Stories

  • BitDefender malware survey shows web 2.0 a rising threat
    IT security vendor BitDefender's end-of-year report on the state of the malware marketplace claims to show an increase in e-threats that are linked to international events, as well as a rising popularity in web 2.0-linked attack vectors.
  • Trojans dominate BitDefender's latest e-threats report
    According to BitDefender's monthly malware and e-threats report for October, the trojan Trojan.Clicker.CM continues to take pole position in the malware popularity charts.
  • Trojan malware infections continue to dominate says BitDefender report
    Research just released by BitDefender, the IT security vendor, confirms that trojan malware infections continue to dominate the IT security threats chart for September.
  • Security firms warn of bogus job search emails
    Security vendors – including Websense and Sophos – have sent up a red flag about suspect emails targeting human resources staff. The messages apparently contain zip files that, when opened, infect users’ PCs with rouge anti-virus.
  • Zero Day of the Dead
    The data load that has accompanied the globalization of trade would make even Atlas stagger. And that’s without the added burden of counter-terrorisAs you read this, zombie programs are flitting across the internet like a pestilence to infect and drain the life from innocent computer systems. Yet, for all the aggravation and grief they cause, you may never know you are part of a global invasion of the system snatchers, says William Knight. Unless…

Top 5 Stories

News

Mabezat worm targets job seekers

03 March 2010

Reports are coming in about a worm that appears in an email, masquerading as a job offer or detailing job-related information. Known as Win32.Worm.Mabezat.J. The worm appears to be a variant of an earlier edition, but uses clever wording to persuade recipients to click through on to an infected web page.

According to Alexandru Catalin Cosoi, a senior researcher with BitDefender, in order to stay safe, computer users should ensure that they have installed a complete anti-malware suite with antivirus, antispam, anti-phishing and firewall protection.

"Never open files from unfamiliar locations", he said.

Cosoi said that the worm comes loaded in a spam message with a variety of job-related email subjects, such as `Web designer vacancy', `New work for you', `Welcome to your new work', or `We are hiring you'.

The email reportedly also contains an apparently harmless attachment called winmail.dat that is billed as being a Word RTF file.

Most tech-savvy users run the file through Winrar or Winzip, which decodes the DAT file into its destination format but - crucially, Infosecurity notes - the anonymous nature of the DAT file means that most on-network IT security technologies miss the payload.

If extracted, the archive presents what appears to be an MS-Word document called Readme.doc, but - on closer inspection- proves to be an executable file infected with Win32.Worm.Mabezat.J.

Once opened, the alleged Readme file opens its own directory using Windows Explorer.

BitDefender's Cosoi says that the worm also writes an autorun.inf file on each drive pointing to a newly-created file called zPharaoh.exe.

"What is particularly important about Win32.Worm.Mabezat.J is the fact that it is also able to infect executable files by replacing the first 1768 bytes of the infected executable file with its own encrypted body. The worm always starts its infection campaign by compromising the Windows Media Player main executable, as well as some binary files in Outlook Express", he said..

"The Mabezat family is extremely dangerous: they not only have the ability to infect binary files and to occasionally destroy system files, but they can also collect email addresses from a variety of file formats (such as .XML, .PHP, .LOG, .CHM, .HLP, .CPP, .PAS, .XLS, on the infected system", he added.

"After it has compiled an e-mail list, the worm will start mass-mailing itself by using its own SMTP engine."
 

This article is featured in:
Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012