/* Style Definitions */
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-fareast-font-family:”Times New Roman”;
mso-bidi-font-family:”Times New Roman”;
roam the wild wild web. It creates a 111 pixels wide iframe on infected
websites and displays a specially crafted url which will use browser specific
exploits to gain control over vulnerable computers.
This worm lurks under a friendly folder-like icon used to
deceive users into clicking it. Upon execution it will open its parent folder
(to act like a normal folder does) but will also create an autorun.inf file in
each drive and copy itself under the name zPharaoh.exe. It will create a folder
named tazebama in the current users’ %Appdata% directory.
It will modify the registry to ensure the Autorun feature isn’t
The worm has also the ability to infect executable files, by
replacing 1768 byte from the entry point with it’s own encrypted code. It can
infect files from any drive that isn’t write-protected (even removable drives).
If one of the infected files is executed, it will drop
another file named tazebama.dll into %documents and settings% and will create
more copies of itself there. It will execute the file %documents and
settings%hook.dl_, which will remain memory resident even after its parent
process terminates execution. The library tazebama.dll will be loaded by each
infected running process. This library will then hook several API functions
(operating system routines) in order to infect more files.
The virus could miss-infect installer-kits or ordinary
programs, causing them the function incorrectly or damaging them permanently.
The memory resident code will make sure that zPharaoh.exe and autorun.inf are
copied to every drive (even network shares, if they are mapped as a drive).
It maintains a log file (zPharaoh.dat) in the directory
%appdata% of the current user. This log contains the sequence “tazebama
trojan log file” at the begining and is used to store e-mail addresses
gathered from .XML, .PHP, .LOG, .CHM, .HLP, .CPP, .PAS, .XLS, .PPT, .PDF,
.ASPX, .ASP, .HTML, .HTM, .RTF and .TXT files found on the infected system.
The worm has the ability to spread over the local network by
infecting shares when they are accessed by making 2 copies of itself in every
directory. The name of the first file varies, and might be one of the
following: WinrarSerialInstall.exe, KasperSky 6.0 key.doc.exe,
NokiaN73Tools.exe, Office2007 serial.txt.exe, Make Windows Original.exe. The
other copy will have the same name as the directory.
It is also a mass mailer. It uses its own SMTP engine to
send e-mails at addresses harvested from the victim’s computer.
Common subjects of the spam emails are: “ABOUT PEOPLE WITH
WHOM MATRIMONY IS PROHIBITED”, “Windows secrets”, “Canada immigration”, “Viruses
history”, “Web designer vacancy”, “problem” etc.
In each case, the attachement is the actual virus. The
e-mails may also contain the strings: “The original file name is %s and
compressed by WinRAR no virus found. Use WinRAR to decompress the file.”
(where %s is the file name)
Information in this article is available courtesy of BitDefender virus
researchers: Lutas Andrei Vlad