My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Mafraz.A

VERY LOW
VERY LOW
152062 B (main exe file)

Symptoms


- presence of the "Global\Global.exe" file, on every drive
- presence of a hidden autorun.inf file, pointing to the file described above
- Task Manager is disabled
- unusual internet activity
- presence of the files:
%windir%\system32\sistema\Global.exe
%windir%\system32\Global.exe
%programfiles%\Messenger Plus! Live\Scripts\MSN PLUS\MSN PLUS.js
- presence of the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrenVersion\Run\Windows
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\legalnoticecaption
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\legalnoticetext with the value: "Global By AZAFRAM"
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\nodispcpl

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Lutas Andrei Vlad, virus researcher

Technical Description:

The detection name stands for all 4 components of the worm:

the main executable file
the autorun.inf file
the infected JavaScript
the batch file itself

This malware comes bundled inside a Delphi executable, which is nothing but a file generated by Quick Batch File compiler. QBF is used to "compile" batch files into executables. "Compile" is rather a wrong term, since it only generates an executable, that embeds the batch file and drop and run that batch file inside temp folder.

When ran, the exe file will drop the malware batch file and execute it. This will perform the following modifications on the system:
- will create a folder named "Global" inside the root directory of every drive, and it will copy itself as Global.exe inside these folders
- will create an autorun.inf file (hidden attributes) on every drive, that will run Global.exe every time the affected drive is accessed
- will disable Task Manager
- will make another copy of itself as %windir%\system32\sistema\Global.exe or %windir%\system32\Global.exe (hidden attributes)
- will add the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrenVersion\Run\Windows,
pointing to the file described above, in order to get executed every time Windows starts
- if it finds winrar.exe, will create the file: %windir%\system32\Global\Fotos-Caos-Global.rar, which is nothing but the original executable, packed with winrar
- if it finds MSN Messenger installed, it will create the following file:
%programfiles%\Messenger Plus! Live\Scripts\MSN PLUS\MSN PLUS.js
and it will modify the following registry key:
HKEY_CURRENT_USER\Software\Patchou\Messenger Plus! Live\GlobalSettings\Scripts\MSN PLUS

This file is used to infect other machines via MSN; the process works as follows: when a new chat window is created, i.e. when someone on an infected computer is contacted, the JavaScript will be executed, and it will attempt to send the file %windir%\system32\Global\Fotos-Caos-Global.rar, among with some text, in order to trick the unaware user to download and execute the file. The text may contain the following strings:
En El 2009 Por El Calentamiento Global
(-AZAFRAM-)
Visita forolibre.com.ar y registrate

- it will connect to a ftp server (ftp.byeth[removed].com), login with a predefined user-name
and password, and upload a file named: %username%.txt (where %username% is the actual user name of the currently logged on user) where it will write, among others, the day and time of the infection, and the IP configuration of the attacked computer.

- will add the following registry keys:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\legalnoticecaption
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\legalnoticetext with the value: "Global By AZAFRAM"
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\nodispcpl

- will change Internet Explorer's start page to http://foro[removed].com.ar
- will hide every file inside Windows and Windows\System32, by changing there attributes to hidden.