W32.Mabezat.A


Aliases: Worm.Mabezat.B, Worm.Win32.Mabezat.a, W32/UA07, PE_MABEZAT.A, W32/Mabezat-A
Variants: Virus:Win32/Mabezat.A, Worm.Win32.Mabezat.a, Win32/Mabezat.worm.29366, W32/Mabzat-A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 12 Nov 2007
Damage: Low

Characteristics: The W32.Mabezat.A takes advantage of weakly protected network shares and removable storage devices in order to spread its codes to other vulnerable computer systems. The presence of this malware results in the infection of multiple file variants in the compromised machine leading to a possible failure of execution. This Worm represents an enhanced and blended version of the Mazebat malware family by combining automatic execution and polymorphic techniques into a single threat.

More details about W32.Mabezat.A

Many antivirus vendors describe the W32.Mabezat.A malware as a combination of a polymorphic Worm and virus with an automatic execution function. A dangerous property that is seen in this threat is that is exhibits characteristics of Ransomware malware which attempts to prevent the computer user from accessing the contents of its computer system. The W32.Mabezat.A will place an executable file together with an information file in removable storage devices and network shares that allow it to spread its infection when the drive or device is accessed. This threat may move through network shares using Anonymous or Administrator usernames. The W32.Mabezat.A will create at least two executable file instances of itself in network shares using filenames that attempt to mimic legitimate processes.

The W32.Mabezat.A will search through the storage devices to find executable files to deliver its infection routine which initially encrypts the contents of the original file. Once the executable file has been successfully encrypted a new file with the malware's resources will be created using the icon of the original file. This routine is done by the W32.Mabezat.A to trick the computer user into thinking that the original and legitimate file still exists. When accessed the executable file will establish the infection into the compromised machine. The W32.Mabezat.A will also attempt to locate data files and encrypt them.