Description added 21 January 2010
Worm Behavior
Technical Details
Damage
Removal Instructions
Technical Details
This worm creates its copies in the computer's drives
captured and network resources that can be
writing. It is written in C + +.
Damage
Extracted from his body the following DLL file:
C: \ Documents and Settings \ tazebama.dll - 32768 AAEO.
This DLL contains a module that draws the following
copies of the worm's body:
% Documents and Settings% \ tazebama.dl_: 154751 bytes in
size
% Documents and Settings% \ hook.dl_: 154751 bytes
size.
Then the worm checks if there is a connection
Internet and contact one of the following URLs:
http://www.hotmail.com
http://www.britishcouncil.com
http://www.microsoft.com
http://www.yahoo.com
The worm reads the following registry key
find the route to WinRAR application:
HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ App
Paths \ WinRAR.exe and use WinRAR to compress your body
one of the following names:
GoogleToolbarNotifier.exe
PanasonicDVD_DigitalCam.exe
Antenna2Net.exe
RadioTV.exe
Microsoft MSN.exe
Sony Erikson DigitalCam.exe
P2P.exe IDE connector
Windows Keys Secrets.exe
FaxSend.exe
RecycleBinProtect.exe
Disk Defragmenter.exe
CD Burner.exe
ShowDesktop.exe
BrowseAllUsers.exe
LockWindowsPartition.exe
Win98compatibleXP.exe
MakeUrOwnFamilyTree.exe
WindowsXP StartMenu settings.exe
Recycle Bin.exe
Adjust Time.exe
Microsoft Windows Network.exe
HP_LaserJetAllInOneConfig.exe
FloppyDiskPartion.exe
msjavx86.exe
AmericanOnLine.exe
Crack_GoogleEarthPro.exe
Lock Folder.exe
InstallMSN11En.exe
InstallMSN11Ar.exe
JetAudio dump.exe
Key.doc.exe KasperSky6.0
Office2007 Serial.txt.exe
Office2003 CD-Key.doc.exe
Make Windows Original.exe
NokiaN73Tools.exe
WinrRarSerialInstall.exe
My Documents.exe
Readme.doc.exe
My documents. Exe
Compressed files are sent as attachments
mail messages. The post can have this
appearance:
Message Subject:
ABOUT PEOPLE WITH WHOM IS PROHIBITED BAPTISM
Body:
1: If a man commits adultery with a woman, Then it is
Not Permissible for him to marry her mother or her
Daughters. 2: If a woman out of sexual passion and with
evil intent commits sexual intercourse with a man, Then
it is Not Permissible for the mother or Daughters of That
That merry man to woman. In the Same Way, The Man Who
Committed sexual intercourse with a woman, Because
Prohibited for her mother and Daughters. Download the
attached article to read.
Attachment Name:
PROHIBITED_MATRIMONY.rar
Message Subject:
Windows secrets
Body:
The attached article is on how to make a folder password
. Your are interested in. If this article download it, if
You are not delete it.
Attachment Name:
FolderPW_CH (1). Rar
Message Subject:
Canada Immigration
Body:
The debate is not about whether Canada Should Longer
Remain open to Immigration. That debate moot When Became
Canadians Realized That low birth rates and an aging
Eventually Population Would lead to a shrinking populace.
Baby Bonuses and Other Such incentives Could convinces
Canadians to Have More Kids, and Have Demographic experts
That forecaster Immigration to Canada Without Would pretty
much disintegrate as a nation by 2050. Download the
attached file to know about the required forms. The
sender of this email got this article from Our Side and
forwarded it to you.
Attachment Name:
IMM_Forms_E01.rar
Message Subject:
Viruses history
Body:
Nowadays, the viruses Have Become one of the MOST
Dangerous systems to attack the computers. There Are to
lot of kinds of viruses. The common and popular kind is
Called Trojan.Backdoor Which runs as a backdoor of the
victim machine. This Enable the virus to Have a full
remote administration of the victim machine. To read the
full story about the viruses history since 1970 download
the attached and decompress It by WinRAR. The sender has
network the story and forwarded it to you.
Attachment Name:
virushistory.rar
Message Subject:
Web designer vacancy
Body:
Fortunately, we recently Received Have your CV / Resume
Moister from web site and we found it matching the job
Requirements we offer. Your are interested in. If this job
Please send us an updated CV Showing the required items
That with the attached file we sent. Thanks Regards, AJY
Computer Bokros department. AjyBokra@webconsulting.com
Attachment Name:
JobDetails.rar
Message Subject:
MBA new vision
Body:
MBA (Master of business administration) one of the MOST
required degree around the world. We offer a lot of books
helping you to gain this degree. We attached one of Our
. Doc word formatted books on Marketing to basics
download. Our web site http://ww
w.tazeunv.edu.cr / mba / info.htm Contacts: Human resource
AJY klaf AjyKolav@tazeunv.com The sender has added your
name to Be Informed with Our services.
Attachment Name:
Marketing.rar
Message Subject:
problemo
Body:
When I Had open your last email I Received Some errors
Have Been saved in the attached file. Please inform me
Those with errors as soon as possible.
Attachment Name:
îutlooklog.rar
Message Subject:
hi
Body:
notes.rar
Unfortunately, I Received unformatted email with an
attached file from you.
I Could not Understand What is behind the words.
I wish next time you send me a readable file!. I forwarded
the attached file
again to evaluate-your self.
Attachment Name:
doc2.rar
The worm collects email addresses to which
send infected messages from files with the
following extensions:
. Hlp
. Html
. Txt
. Aspx
. Cs
. Aspx
. Psd
. Mdf
. Rtf
. Htm
. Ppt
. Php
. Asp
. Pas
. H
. Cpp
. Xls
. Doc
. Rar
. Zip
. Mdb
The worm stores the addresses collected in the
log file:
% Application Data% \ tazebama \ zPharaoh.dat
The worm will not send messages to email
containing any of the following words:
MICROSOFT
KASPER
PANDA
After the worm infects some files with the
extension "lnk", "exe" and "scr", depending on size
sections of the specific files. When
ago, decodes and writes its body components
core at the end of infected files. The worm
reads the paths to the files to infect these keys
Registration:
[HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ App
Paths]
[HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
Similarly, the files are infected in
following folder:
% Documents and Settings% \ \ Local Settings \ Application
Data \ Microsoft \ CD Burning
If the worm detects files with the extension "doc"
add your copy to the same folder with the same name,
providing the extension "exe" to the file.
Subsequently, the worm searches all drives
local and mobile, except the C: drive in search of
file folders. In these files, the worm creates
your own copy with the same name as the folder and
extension "exe".
The worm creates its own copy of the following
names in the same folders:
GoogleToolbarNotifier.exe
PanasonicDVD_DigitalCam.exe
Antenna2Net.exe
RadioTV.exe
Microsoft MSN.exe
Sony Erikson DigitalCam.exe
P2P.exe IDE connector
Windows Keys Secrets.exe
FaxSend.exe
RecycleBinProtect.exe
Disk Defragmenter.exe
CD Burner.exe
ShowDesktop.exe
BrowseAllUsers.exe
LockWindowsPartition.exe
Win98compatibleXP.exe
MakeUrOwnFamilyTree.exe
WindowsXP StartMenu settings.exe
Recycle Bin.exe
Adjust Time.exe
Microsoft Windows Network.exe
HP_LaserJetAllInOneConfig.exe
FloppyDiskPartion.exe
msjavx86.exe
AmericanOnLine.exe
Crack_GoogleEarthPro.exe
Lock Folder.exe
InstallMSN11En.exe
InstallMSN11Ar.exe
JetAudio dump.exe
Key.doc.exe KasperSky6.0
Office2007 Serial.txt.exe
Office2003 CD-Key.doc.exe
Make Windows Original.exe
NokiaN73Tools.exe
WinrRarSerialInstall.exe
My Documents.exe
Readme.doc.exe
My documents. Exe
The worm gets a list of IP addresses of computers
on the same network as the team captured, and wrote his
body on all resources that can be
write, with one of the names above.
The worm also creates copies of the following
teams captured folders:
\% Documents and Settings%
\ Start Menu \ Programs \ Startup
When it does, the worm uses the following accounts:
Administrator
Anonymous
Requires a password made with the space character
and / or the following characters:
ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz
0123456789
The worm saves a copy of your body with the name
"ZPharaoh.exe" in the root folder of all drives
in which we can write
zPharaoh.exe: 154891 bytes in size.
Create the following file in the root folder of
same disks:
autorun.inf
Ensures autorun file autorun
copy of the worm when accessing infected discs
Windows Explorer.
The Trojan can also spread through CDs
infected. To do this, create a file copy and autorun
in the following folder:
% ApplicationData% \ Microsoft \ CD Burning \ zPharaoh.exe
% ApplicationData% \ Microsoft \ CD Burning \ autorun.inf
In all copies of the Trojan and autorun files
assigned the attributes "Read Only" and "Hidden."
Then the worm adds the following information
registration key, preventing it from showing the
hidden files and protected system.
[HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \
Advanced] "Hidden" = "2" "HideFileExt" = "1"
"ShowSuperHidden" = "0"
Finally, delete the following key value
record to allow "autorun.inf" is
run automatically.
[HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \
Explorer] "NoDriveTypeAutoRun"
