RSS Alerts

Share

More services

Related Links

  • BitDefender
  • Elsevier Ltd is not responsible for the content of external websites.

Top 5 Stories

News

Mabezat worm targets job seekers

03 March 2010

Reports are coming in about a worm that appears in an email, masquerading as a job offer or detailing job-related information. Known as Win32.Worm.Mabezat.J. The worm appears to be a variant of an earlier edition, but uses clever wording to persuade recipients to click through on to an infected web page.

According to Alexandru Catalin Cosoi, a senior researcher with BitDefender, in order to stay safe, computer users should ensure that they have installed a complete anti-malware suite with antivirus, antispam, anti-phishing and firewall protection.

"Never open files from unfamiliar locations", he said.

Cosoi said that the worm comes loaded in a spam message with a variety of job-related email subjects, such as `Web designer vacancy', `New work for you', `Welcome to your new work', or `We are hiring you'.

The email reportedly also contains an apparently harmless attachment called winmail.dat that is billed as being a Word RTF file.

Most tech-savvy users run the file through Winrar or Winzip, which decodes the DAT file into its destination format but - crucially, Infosecurity notes - the anonymous nature of the DAT file means that most on-network IT security technologies miss the payload.

If extracted, the archive presents what appears to be an MS-Word document called Readme.doc, but - on closer inspection- proves to be an executable file infected with Win32.Worm.Mabezat.J.

Once opened, the alleged Readme file opens its own directory using Windows Explorer.

BitDefender's Cosoi says that the worm also writes an autorun.inf file on each drive pointing to a newly-created file called zPharaoh.exe.

"What is particularly important about Win32.Worm.Mabezat.J is the fact that it is also able to infect executable files by replacing the first 1768 bytes of the infected executable file with its own encrypted body. The worm always starts its infection campaign by compromising the Windows Media Player main executable, as well as some binary files in Outlook Express", he said..

"The Mabezat family is extremely dangerous: they not only have the ability to infect binary files and to occasionally destroy system files, but they can also collect email addresses from a variety of file formats (such as .XML, .PHP, .LOG, .CHM, .HLP, .CPP, .PAS, .XLS, on the infected system", he added.

"After it has compiled an e-mail list, the worm will start mass-mailing itself by using its own SMTP engine."
 

This article is featured in:
Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012