Home / malwarePDF  

Win32.Worm.Mafraz.A


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Win32.Worm.Mafraz.A.

Explanation :

The detection name stands for all 4 components of the worm:

the main executable file
the autorun.inf file
the infected JavaScript
the batch file itself

This malware comes bundled inside a Delphi executable, which is nothing but a file generated by Quick Batch File compiler. QBF is used to "compile" batch files into executables. "Compile" is rather a wrong term, since it only generates an executable, that embeds the batch file and drop and run that batch file inside temp folder.

When ran, the exe file will drop the malware batch file and execute it. This will perform the following modifications on the system:
- will create a folder named "Global" inside the root directory of every drive, and it will copy itself as Global.exe inside these folders
- will create an autorun.inf file (hidden attributes) on every drive, that will run Global.exe every time the affected drive is accessed
- will disable Task Manager
- will make another copy of itself as %windir%system32sistemaGlobal.exe or %windir%system32Global.exe (hidden attributes)
- will add the following registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrenVersionRunWindows,
pointing to the file described above, in order to get executed every time Windows starts
- if it finds winrar.exe, will create the file: %windir%system32GlobalFotos-Caos-Global.rar, which is nothing but the original executable, packed with winrar
- if it finds MSN Messenger installed, it will create the following file:
%programfiles%Messenger Plus! LiveScriptsMSN PLUSMSN PLUS.js
and it will modify the following registry key:
HKEY_CURRENT_USERSoftwarePatchouMessenger Plus! LiveGlobalSettingsScriptsMSN PLUS

This file is used to infect other machines via MSN; the process works as follows: when a new chat window is created, i.e. when someone on an infected computer is contacted, the JavaScript will be executed, and it will attempt to send the file %windir%system32GlobalFotos-Caos-Global.rar, among with some text, in order to trick the unaware user to download and execute the file. The text may contain the following strings:
En El 2009 Por El Calentamiento Global
(-AZAFRAM-)
Visita forolibre.com.ar y registrate

- it will connect to a ftp server (ftp.byeth[removed].com), login with a predefined user-name
and password, and upload a file named: %username%.txt (where %username% is the actual user name of the currently logged on user) where it will write, among others, the day and time of the infection, and the IP configuration of the attacked computer.

- will add the following registry keys:
HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonlegalnoticecaption
HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonlegalnoticetext with the value: "Global By AZAFRAM"
HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciessystem
odispcpl

- will change Internet Explorer's start page to http://foro[removed].com.ar
- will hide every file inside Windows and WindowsSystem32, by changing there attributes to hidden.

Last update 21 November 2011

 

TOP