TrendLabs has received samples of a file infecting virus that, interestingly, logs its own behavior for the affected users to see (if s/he looks hard enough). Maybe because its taunting the said users? A closer look, after all, reveals that this malware is quite challenging to remove.

The virus is detected by Trend Micro as PE_MABEZAT.A-O. It searches for certain files – typically those related to MS Office and multimedia applications – which it encrypts before actually prepending its code onto theirs:

The infected files are detected as PE_MABEZAT.A. Given that the host files are encrypted, restoring them (which naturally includes ridding the malicious code) can be tough. TrendLabs has thus created a special fixtool for this.

Apart from its complex file infection routine, PE_MABEZAT.A-O monitors its own behavior by keeping a log file. The said file basically lists down the files it infected or attempted to infect:

Finally, to ensure widespread infection, PE_MABEZAT.A-O also attempts to spread via fixed, networked, and removable drives. It does this by searching the affected system for drives C to Z, then dropping a copy of itself with an AUTORUN.INF to automatically execute once a drive is accessed. It even attempts to spread and infect via CD-ROMs by infecting files found in the CD burning “staging area”, usually located in C:\Documents and Settings\{user name}\Local Settings\Application Data\Microsoft\CD Burning.

Trend Micro products already detect this virus with the latest pattern file. Users are advised to update their patterns to avoid infection.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!