TrendLabs has received samples of a file infecting virus that, interestingly, logs its own behavior for the affected users to see (if s/he looks hard enough). Maybe because its taunting the said users? A closer look, after all, reveals that this malware is quite challenging to remove.

The virus is detected by Trend Micro as PE_MABEZAT.A-O. It searches for certain files - typically those related to MS Office and multimedia applications - which it encrypts before actually prepending its code onto theirs:

The infected files are detected as PE_MABEZAT.A. Given that the host files are encrypted, restoring them (which naturally includes ridding the malicious code) can be tough. TrendLabs has thus created a special fixtool for this.

Apart from its complex file infection routine, PE_MABEZAT.A-O monitors its own behavior by keeping a log file. The said file basically lists down the files it infected or attempted to infect:

Finally, to ensure widespread infection, PE_MABEZAT.A-O also attempts to spread via fixed, networked, and removable drives. It does this by searching the affected system for drives C to Z, then dropping a copy of itself with an AUTORUN.INF to automatically execute once a drive is accessed. It even attempts to spread and infect via CD-ROMs by infecting files found in the CD burning “staging area”, usually located in C:\Documents and Settings\{user name}\Local Settings\Application Data\Microsoft\CD Burning.

Trend Micro products already detect this virus with the latest pattern file. Users are advised to update their patterns to avoid infection.