March 2010
Virus Targets Job Seekers
Cyber-criminals exploit precarious economy with topical spam
Win32.Worm.Mabezat.J may not be the new kid on the block, but the previous week has seen a surge of spam mail carrying carefully packed files infected with its code. Taking advantage of the precarious state of the global economy, cyber-criminals disguise their malicious payloads as legitimate job opportunities.
“In order to stay safe, computer users should ensure that they have installed a complete antimalware suite with antivirus, antispam, antiphishing and firewall protection. Never open files from unfamiliar locations,” warns Catalin Cosoi, Senior Researcher at BitDefender.
The spam message comes with a variety of job-related email subjects, such as ‘Web designer vacancy’, ‘New work for you’, ‘Welcome to your new work’, or ‘We are hiring you’. It also contains an apparently harmless attachment called winmail.dat – a file that is supposed to contain the Exchange Server® RTF information for the message, if the recipient’s client cannot receive messages in Rich Text Format (RTF).
However, the winmail.dat file can be extracted with either WinRar® or WinZip™. This approach ensures that the user can still extract the infected file, but prevents antimalware filters on mail servers from unpacking and analyzing the contents of the archive. If extracted, the archive presents what appears to be a Word document called Readme.doc, but – at a closer look – proves to be an executable file infected with Win32.Worm.Mabezat.J.
Once opened, the alleged Readme file would open its own directory (the path where the worm is located) using Windows® Explorer. The worm would also write an autorun.inf file on each drive pointing to a newly-created file called zPharaoh.exe (an instance of itself).
What is particularly important about Win32.Worm.Mabezat.J is the fact that it is also able to infect executable files by replacing the first 1768 bytes of the infected executable file with its own encrypted body. The worm always starts its infection campaign by compromising the Windows Media Player main executable, as well as some binary files in Outlook® Express™.
The Mabezat family is extremely dangerous: they not only have the ability to infect binary files and to occasionally destroy system files, but they can also collect email addresses from a variety of file formats (such as .XML, .PHP, .LOG, .CHM, .HLP, .CPP, .PAS, .XLS, .PPT, .PDF, .ASPX, .ASP, .HTML, .HTM, .RTF and .TXT) that it may find on the infected system. After it has compiled an e-mail list, the worm will start mass-mailing itself by using its own SMTP engine.
About Bitdefender®
Bitdefender is the creator of one of the world's fastest and most effective lines of internationally certified internet security software.Since 2001, the company has been an industry pioneer, introducing and developing award-winning protection. Today, Bitdefender technology secures the digital experience of around 400 million home and corporate users across the globe.
Recently, the company has won a range of key independent recommendations in the US, UK and across Europe, including ConsumerSearch, Which?, Stiftung Warentest and Taenk. Bitdefender antivirus technology has also finished top in leading industry tests from both AV Test and AV-Comparatives. More information about Bitdefender's antivirus products is available from the company's security solutions press room. Additionally, Bitdefender publishes Malware City providing the latest updates on security threats and helping users stay informed in the everyday battle against malware.