Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    8:27 am (UTC-7)   |    by

    TrendLabs has received samples of a file infecting virus that, interestingly, logs its own behavior for the affected users to see (if s/he looks hard enough). Maybe because its taunting the said users? A closer look, after all, reveals that this malware is quite challenging to remove.

    The virus is detected by Trend Micro as PE_MABEZAT.A-O. It searches for certain files – typically those related to MS Office and multimedia applications – which it encrypts before actually prepending its code onto theirs:

    PE_MABEZAT.A-O Infection Diagram

    The infected files are detected as PE_MABEZAT.A. Given that the host files are encrypted, restoring them (which naturally includes ridding the malicious code) can be tough. TrendLabs has thus created a special fixtool for this.

    Apart from its complex file infection routine, PE_MABEZAT.A-O monitors its own behavior by keeping a log file. The said file basically lists down the files it infected or attempted to infect:

    1.txt Log File

    Finally, to ensure widespread infection, PE_MABEZAT.A-O also attempts to spread via fixed, networked, and removable drives. It does this by searching the affected system for drives C to Z, then dropping a copy of itself with an AUTORUN.INF to automatically execute once a drive is accessed. It even attempts to spread and infect via CD-ROMs by infecting files found in the CD burning “staging area”, usually located in C:Documents and Settings{user name}Local SettingsApplication DataMicrosoftCD Burning.

    Trend Micro products already detect this virus with the latest pattern file. Users are advised to update their patterns to avoid infection.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice