Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation
When executed, the virus copies itself in the:

%drive%\Documents and Settings\

folder with the following file names:

tazebama.dl_

hook.dl_


The following file is dropped in the same folder:

tazebama.dll (32768 B)


The virus creates the following folders:

%appdata%\tazebama\


The following Registry entries are removed:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"


The following Registry entries are set:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = 2

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = 1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = 0


Executable files infection
The virus infects executable files. The virus searches for executables with one of the following extensions:

.exe

Executables are infected by appending the code of the virus to the end of the original file. The host file is modified in a way that causes the virus to be executed prior to running the original code.


Spreading
The virus copies itself into the root folders of all drives using the following name:

zPharaoh.exe

The following file is dropped in the same folder:

autorun.inf

The virus copies itself into existing folders of removable drives. The following filenames are used:

Adjust Time.exe

AmericanOnLine.exe

Antenna2Net.exe

BrowseAllUsers.exe

CD Burner.exe

Crack_GoogleEarthPro.exe

Disk Defragmenter.exe

FaxSend.exe

FloppyDiskPartion.exe

GoogleToolbarNotifier.exe

HP_LaserJetAllInOneConfig.exe

IDE Conector P2P.exe

InstallMSN11Ar.exe

InstallMSN11En.exe

JetAudio dump.exe

KasperSky6.0 Key.doc.exe

Lock Folder.exe

LockWindowsPartition.exe

Make Windows Original.exe

MakeUrOwnFamilyTree.exe

Microsoft MSN.exe

Microsoft Windows Network.exe

msjavx86.exe

NokiaN73Tools.exe

Office2003 CD-Key.doc.exe

Office2007 Serial.txt.exe

PanasonicDVD_DigitalCam.exe

RadioTV.exe

Recycle Bin.exe

RecycleBinProtect.exe

ShowDesktop.exe

Sony Erikson DigitalCam.exe

Win98compatibleXP.exe

Windows Keys Secrets.exe

WindowsXp StartMenu Settings.exe

WinrRarSerialInstall.exe


The name of the file may be based on the name of an existing file or folder. The extension of the file is ".exe".


Other information
If the current system date matches the condition, files with the following file extension will be encrypted:

.ASP

.ASPX

.ASPX.CS

.BAS

.C

.CPP

.DOC

.H

.HLP

.HTM

.HTML

.MDB

.MDF

.PAS

.PDF

.PHP

.PPT

.PSD

.RAR

.RTF

.TXT

.XLS

.ZIP


The virus may create copies of itself in the folder:

%userprofile%\Local Settings\Application Data\Microsoft\CD Burning\


If successful the following filename is used:

zPharaoh.exe


The following files may be dropped in the same folder:

autorun.inf


The virus may delete files stored in the following folders:

%userprofile%\Local Settings\Application Data\Microsoft\CD Burning\


The virus may create the text file:

%appdata%\tazebama\zPharaoh.dat


The virus may create the following files in the %drive%\Documents and Settings\ folder:

MyDocuments.rar

backup.rar

documents_backup.rar

imp_data.rar

source.rar

windows_secrets.rar

passwords.rar

serials.rar

office_crack.rar

windows.rar


The archive contains an executable file. The file is a part of the infiltration.