The worm has a folder-like icon. When executed, it will open its own directory (the path where the worm is located) into windows explorer.
It will then create an autorun.inf file on each drive, and it will copy itself under the name of zPharaoh.exe. The autorun.inf file will be created in such a way that, each time you acces an infected drive, the worm will be executed. It will then create the directory tazebama in the %Appdata% of the current user. It also removes the registry key:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explore\NoDriveTypeAutorun
to make sure autorun option isn't disabled and creates the following registry key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Exchange.
This worm also has the abilities to infect executable files (it replaces 1768 bytes from the entry point and then appends it's encrypted body as an overlay). It can infect files from any drive that isn't write-protected (including removable drives).
The infection always begins with:%program files%\Windows Media player\wmplayer.exe
%program files%\Outlook Express\msimn.exe
%program files%\Outlook Express\wab.exe
%program files%\Outlook Express\wabmig.exe
When one of this infected files is executed, it will drop a file named tazebama.dll in %documents and settings% folder and will create more copies of itself in the same folder.
After creating these files, it will execute the file %documents and settings%\hook.dl_, which will remain
memory resident even after its parent process terminates execution and the library tazebama.dll will be loaded by each
infected running process. This library will then hook several API functions (operating system routines) in order to infect
more files. The virus could miss-infect installer-kits or ordinary programs, causing them the function incorrectly or
damaging them permanently. The memory resident code will make sure that zPharaoh.exe and autorun.inf are copied to every drive (even network shares, if they are mapped as a drive).
It also maintains a log file (zPharaoh.dat) in the directory %appdata% of the current user. This log contains the sequence "tazebama trojan log file" at the begining and is used to store e-mail addresses gathered from .XML, .PHP, .LOG, .CHM,
.HLP, .CPP, .PAS, .XLS, .PPT, .PDF, .ASPX, .ASP, .HTML, .HTM, .RTF and .TXT files found on the infected system.
The worm has the ability to spread over the local network by infecting shares when they are accesed. It will infect the share just like an ordinary drive, and, in every directory, it will make 2 copies of itself. The name of the first file varies, and might be one of the following:WinrarSerialInstall.exe
KasperSky 6.0 key.doc.exe
Make Windows Original.exe
The other copy will have the same name as the directory.
It is also a mass mailer; it uses its own SMTP engine to send e-mails at addresses harvested from the victim's computer.
E-mails may look like this:Attachement:
1 : If a man commits adultery with a woman, then it is not permissible for him to marry her mother or her daughters.
2 : If a woman out of sexual passion and with evil intent commits sexual intercourse with a man, then it is not permissible
for the mother or daughters of that woman to merry that man. In the same way, the man who committed sexual intercourse with a woman, because prohibited for her mother and daughters.
Download the attached article to read.Subject:
ABOUT PEOPLE WITH WHOM MATRIMONY IS PROHIBITEDAttachement:
The attached article is on "how to make a folder password". If your are interested in this article download it, if you are not delete it.Subject:
The debate is no longer about whether Canada should remain open to immigration. That debate became moot when Canadians realized that low birth rates and an aging population would eventually lead to a shrinking populace. Baby bonuses and other such incentives couldn't convince Canadians to have more kids, and demographic experts have forecasted that a Canada without immigration would pretty much disintegrate as a nation by 2050.
Download the attached file to know about the required forms.
The sender of this email got this article from our side and forwarded it to you.Subject:
Nowadays, the viruses have become one of the most dangerous systems to attack the computers. There are a lot of kinds of viruses.
The common and popular kind is called "Trojan.Backdoor" which runs as a backdoor of the victim machine. This enables the virus to have a full remote administration of the victim machine. To read the full story about the viruses history since 1970 download the attached and decompress It by WinRAR.
The sender has red the story and forwarded it to you.Subject:
Fortunately, we have recently received your CV/Resume from moister web site
and we found it matching the job requirements we offer.
If your are interested in this job Please send us an updated CV showing the required items with the attached file that we sent.
Thanks & Regards,
Web designer vacancyAttachement:
MBA (Master of business administration ) one of the most required degree around the world. We offer a lot of books helping you to
gain this degree. We attached one of our .doc word formatted books on "Marketing basics" to download.
Our web site http://www.[removed].edu.cr/mba/info.htm
The sender has added your name to be informed with our services.Subject:
MBA new visionAttachement:
When I had opened your last email I received some errors have been saved in the attached file.
Please inform me with those errors as soon as possible.Subject:
Unfortunately, I received unformatted email with an attached file from you. I couldn't understand what is behind the words.
I wish you next time send me a readable file!.
I forwarded the attached file again to evaluate your self.
"%s" a "%s\%s.rar" "%s\%s"
where "%s" can be any sequence of characters.
In each case, the attachement is the actual virus. The e-mails may also contain the strings:
"The original file name is %s and compressed by WinRAR no virus found. (where %s is the file name)."
"Use WinRAR to decompress the file."