Nakatikim ang USB flash drive ko ng isa sa pinakamalakas na virus na naencounter ko!
Kanina lang nung nasa isang internet cafe sa may amin ko siya nakuha. Ang brutal niya talaga pramis!! kinorupt nia kasi yung karamihan ng mga dinownlod ko pati yung mga portableapps ko! Ambilis nilang kumalat sa USB drive! Napansin ko nga na paiba-iba yung pangalan nila pero iisang uri lang siya(in short polymorph virus).
Buti nalang tigok agad siya sa AntiVirus ko pagbalik sa bahay whew! hehe!
Well, niresearch ko siya kung paano talaga gumalaw at ano ang modus operandi nito At eto yung nakuha ko:
Names,aliases:
Win32/Mabezat.B(eTrust-Vet), Worm.Win32.Mabezat.b (F-Secure), Worm.Win32.Mabezat.b (Ikarus), Worm.Win32.Mabezat.b (Kaspersky), W32/Mabezat.a (McAfee), Win32/Mabezat.A (NOD32v2), Win32.Malware.gen!92 (Webwasher-Gateway)
Behavior:
Polymorphic parasitic file infector of executable files, use removable media and shared folders in LAN to propagate itself.
Description:
Once executed, the worm drops the following files in the folder %DriveLetter%\Documents and Settings:
tazebama.dll (32,768 bytes)
tazebama.dl_ (154,751 bytes)
hook.dl_ (154,751 bytes)Modifies the following registry entry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"SuperHidden"=dword:00000000
"Hidden"=dword:00000001Enables drive autorun by removing entries:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"It may also copy itself to the %UserProfile%\Local Settings\Application Data\Microsoft\CD Burning
folder using the following filename:zPharaoh.exe
Creates the following folder %DriveLetter%\Documents and Settings\%UserProfile%\Application Data\tazebama
for its own use.If the current system date matches the condition: year greater or equal 2012, month greater or equal 10 and day greater or equal 16, files with the following extensions are encrypted:
*.TXT
*.BAS
*.C
*.MDB
*.ZIP
*.RAR
*.DOC
*.XLS
*.CPP
*.H
*.PAS
*.ASP
*.PHP
*.PPT
*.HTM
*.RTF
*.MDF
*.PSD
*.ASPX
*.ASPX.CS
*.HTML
*.HLP
The encryption consists simply of adding 0×10 to each byte of the file.Executable files infection:
The virus searches for executables on local drives and on the network. Executables are infected by the overwriting instructions at the entry point. The original code is then stored at the end of file.
Propagation
Copies itself in root folders of drives using the following filename: zPharaoh.exe
The virus also creates the following file: autorun.infwith the following content:
[AutoRun]
ShellExecute=zPharaoh.exe
shell\open\command=zPharaoh.exe
shell\explore\command=zPharaoh.exe
open=zPharaoh.exeThis causes the virus to be executed each time the user opens the corresponding removable drive using Windows Explorer.
Removing:
Remove infected files and restore them from backup.
Ngayon lang ako naka-encounter ng ganitong virus kaya naastigan pa ako sa mga ginagawa niya. hehe…Wala na akong magagawa para sa prevention ng mga virus sa mga USB kasi pabalik-balik lang sila lalu na pag laging naeexpose sa mga Internet Cafes. Basta iwasan nalang silang makarating sa Hard Drive ng PC mo.
