Welcome!

COMPUTERS DOCTOR

Is Here To Help!

You have found out the smartest choice for the most affordable and reliable Computer Repair and Networking Services in the Greater Birmingham, Alabama area.

 

Virus or Worm Story

 



New or old Computer Virus, I do not know.

Name W32/Wazner-A ( Sophos Anti-Virus report )
Type Worm
How it spreads Network shares
Affected operating systems Windows



November 2nd 2007, a Worm called "
W32/Wazner-A ( Sophos Anti-Virus report ) " infected my network computers, all computers has Norton anti-Virus, Kaspersky, Windows Defender and Spybot 1.4.

I noticed that one of the computers was slow, freezing, something strange was happening.

Alt+Ctrl+Del showed that there was a file named " tazebama.dl_ " in the file processing list.

By default I always show hidden files, system files, and extension.

So I made a search on my hard drive to find out what and where is the " tazebama.dl_ " file located.

For my surprise, I did not find the file, then I noticed that all hidden files, system files, and extensions are not shown on the file list, so I had to go to folder options and view them.

I found two hidden files on each hard drive named " autorun.inf " which has a text file icon, and the other one named " zPharaoh.exe " which has a folder icon.

On the folder " Documents and settings " I found 3 hidden files; their names were: " hook.dll " , " tazebama.dll " and " tazebama.dl_ ".

I removed all of them thinking it was over, restarted my computer to see what will happen.

I found that file view changed again, and the file " tazebama.dl_ " is running in the processing file list in task manger.

when I tried to explore my system drive, it gave me error message " no disk " and some unexpected error messages. but I was able to explore the disks , changed the folder options to view the hidden and system files, and I found all the files I had just deleted are re-generated again.

I stopped the processing " tazebama.dl_ " and deleted all that files one more time. then I opened " notepad " to write down what happened, once I clicked the notepad the " tazebama.dl_ " executed again and the files were regenerated again I notice that there was a file appeared for a second named " 1.taz " and it delete itself after regenerate the other files and some temp files.

I checked the notepad file size, the size was bigger than the original size, I checked the other files with .exe extension and I found out it was modified at the same time with 1 second difference for every three or four files.

Starting any application will result executing the " " tazebama.dl_ ".

On the storage disk I found the following:

1- " Autorun.inf " and " zPharaoh.exe " on the hard drive
2- Inside each folder I found 2 newly generated files; one of them has the folder name and big spaces which makes the file name about one hundred character .exe like this " xyz            .exe ", the other file is a random name with exe extension, file size about 152 kb, random names like " office 2007 serial.doc.exe " , " kaspersky 10 ser.rar.exe " , " documents.zip.exe " , " FullVersio_ReadPlease_2003.zip ", and so on.

Some sub folders has that kind of files, some don't.

After trying to find out all the files that was created and started to remove them, my computer froze up, I had to restart, but most likely the M.B.R was changed, the computer would not boot.

I tried to use Bart's PE Boot CD, but it did not see the hard drives ( one is ATA, the other is SATA ).

I had to use some other tools to rewrite the M.B.R to recover my files on the storage hard drive. I did the same on the system drive.

When I used Bart's PE CD to boot my computer, and tried to open a text file using " Notepad " to record those file names, it regenerated all the files back ( zPharaoh.exe, tazebama.dll, and tazebama.dl_ , hook.dll ) and hided them.

It infected some MS Word files with " doc extension ", so when you open these word files, you will find some strange characters looks like a machine code".

It took me a week to restore back my computers after formatting the operating system files, but I'm glade I could save some of my saved programs as zipped files.

After 10 days of this event, I found out a website " http://www.sophos.com " talking about that " Worm " saying:

" Protection available since: 9 November 2007 15:35:00 (GMT) " .

More About this Worm:

On Microsoft Outlook ( My Email Program ) I found over 350 message waiting in the outbox to be sent with attachment 44KB rar file with the following messages:

=================================

Subject: hi

Unfortunately, I received unformatted email with an attached file from you. I couldn't understand what is behind the words.
I wish you next time send me a readable file!.
I forwarded the attached file again to evaluate your self.




The original file name is notes.rar and compressed by WinRAR no virus found.
Use WinRAR to decompress the file.

=================================

Subject: C?E??C?

C???C? ????????C???C?E C?E? E? ?????C ?? ?E??? ??? C???I C??CE? ?? ??E?? ??? C?????I ?? C???? C?????. ???I ?????C ?? ??? C???C?E C???? ????C??E. ???? ???? C?E??? E??C??E ??E?? C???? ????C?? ??C ??E ?I??.




The original file name is doc2.rar and compressed by WinRAR no virus found.
Use WinRAR to decompress the file.

=================================

??C?E E???E?E

??C?E E???E?E. ???? E???? C???? C????? ?C?E??I ?? C?? ???? EO?? ???? ????C?? ??C ?IE I?? ?C.




The original file name is doc2.rar and compressed by WinRAR no virus found.
Use WinRAR to decompress the file.

=================================

problem

When I had opened your last email I received some errors have been saved in the attached file.
Please inform me with those errors as soon as possible.




The original file name is outlooklog.rar and compressed by WinRAR no virus found.
Use WinRAR to decompress the file.

=================================

Subject: MBA new vision

MBA (Master of business administration ) one of the most required degree around the world. We offer a lot of books helping you to gain this degree. We attached one of our .doc word formatted books on "Marketing basics" to download.


Our web site http://www.tazeunv.edu.cr/mba/info.html

Contacts:
Human resource
Ajy klaf
AjyKolav@tazeunv.com

The sender has added your name to be informed with our services.




The original file name is Marketing.rar and compressed by WinRAR no virus found.
Use WinRAR to decompress the file.

=================================

Subject: Web designer vacancy

Fortunately, we have recently received your CV/Resume from moister web site
and we found it matching the job requirements we offer.
If your are interested in this job Please send us an updated CV showing the required items with the attached file that we sent.

Thanks & Regards,
Ajy Bokra
Computer department.
AjyBokra@webconsulting.com




The original file name is JobDetails.rar and compressed by WinRAR no virus found.
Use WinRAR to decompress the file.

=================================

Subject: Viruses history

Nowadays, the viruses have become one of the most dangerous systems to attack the computers. There are a lot of kinds of viruses. The common and popular kind is called "Trojan.Backdoor" which runs as a backdoor of the victim machine. This enables the virus to have a full remote administration of the victim machine. To read the full story about the viruses history since 1970 download the attached and decompress It by WinRAR.

The sender has red the story and forwarded it to you.




The original file name is virushistory.rar and compressed by WinRAR no virus found.
Use WinRAR to decompress the file.

=================================

Subject: Canada immigration

The debate is no longer about whether Canada should remain open to immigration. That debate became moot when Canadians realized that low birth rates and an aging population would eventually lead to a shrinking populace. Baby bonuses and other such incentives couldn't convince Canadians to have more kids, and demographic experts have forecasted that a Canada without immigration would pretty much disintegrate as a nation by 2050.
Download the attached file to know about the required forms.
The sender of this email got this article from our side and forwarded it to you.




The original file name is IMM_Forms_E01.rar and compressed by WinRAR no virus found.
Use WinRAR to decompress the file.
=================================

Subject: Windows secrets

The attached article is on "how to make a folder password". If your are interested in this article download it, if you are not delete it.


The original file name is FolderPW_CH(1).rar and compressed by WinRAR no virus found.
Use WinRAR to decompress the file.

=================================

Subject: ABOUT PEOPLE WITH WHOM MATRIMONY IS PROHIBITED

1 : If a man commits adultery with a woman, then it is not permissible for him to marry her mother or her daughters.

2 : If a woman out of sexual passion and with evil intent commits sexual intercourse with a man, then it is not permissible for the mother or daughters of that woman to merry that man. In the same way, the man who committed sexual intercourse with a woman, because prohibited for her mother and daughters.

Download the attached article to read.




The original file name is PROHIBITED_MATRIMONY.rar and compressed by WinRAR no virus found.
Use WinRAR to decompress the file.
=================================

 

 

If you have a similar story, please send your story or comments to us.

Read Comments here