Imago Labs Roport on MaHasona.exe
|
MaHasona.exe (CRC-32: FD9B090B) is a virus which can be categorized as a worm. It spreads through removable drives. Careless of computer users is the main reason to spread this kind of viruses. If user open removable drives using command prompt this viruses can not be executed. This virus uses AutoIt script as its core. Once the virus is executed it copies its clone to the Windows System32 directory as explorar.exe (see the difference between explorer.exe and explorar.exe). Since it uses this kind of fake name it is difficult to detect this virus manually. It creates a registry entry to get the ability to be executed automatically when windows starts. MaHasona.exe changes attributes of directories(folders) to Hidden and clone it as the folder name. MaHasona.exe is not visible at task list(Program list) in the task manager. It runs as a process.(Process name : explorar.exe (CRC-32: FD9B090B)).
Tip : Use this way to open removable drives safely.
start -> All Programs -> Accessories -> Command Prompt and type the following command.
explorer [drive letter of pen drive]: and press enter
ex : explorer h:
|
File Details : MaHasona.exe
|
Size : 686077 Bytes
Version : 3.3.0.0
CRC-32 : FD9B090B
MD5 : 9F5A508D6725EB6FB11B445274BA9A52
SHA1 : 97AA99152245D7ECE159225C03C246608114BDBE
Read only : Yes
Hidden : Yes
System fil : Yes
Archive : Yes
Symbolic link : No
|
Values Added To The Registry:(2)
|
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYS1: "C:\WINDOWS\system32\explorar.exe"
HKU\S-1-5-21-329068152-1060284298-839522115-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Kanishka\Desktop\VHome\MaHasona.exe: "MaHasona"
|
Values Modified In The Registry:(0) [Original Value Value = Green , Modified Value = Red]
|
No registry modification. But add above mentioned registry entries to the registry.
|
Created Files:(5)
|
C:\WINDOWS\system32\explorar.exe
C:\WINDOWS\autorun.inf(copied to the root of removable drive as soon as it detected a pen.)
e:\MaHasona.exe
e:\Docs.exe (Docs.exe is a file which is created by extracting folder names in the pen drive)
e:\autorun.inf(this file is used to achieve the warm ability)
Note -> e: is a removable drive(Pen Drive)
|
Files Deleted:(0)
|
No file deletion were detected.
|
Files/Folders Modified:(n)
|
MaHasona.exe modifies the attributes of all folders(sets to be hidden)
|
Network Activities:( )
|
We do not identified any network activity of this file.
|
More Info :( )
|
Autorun file
[autorun]
open=MaHasona.exe
Icon=MaHasona.exe,0
shellexecute=MaHasona.exe
shell\Explore\command=MaHasona.exe
shell\Open\command=MaHasona.exe
shell=Explore
By K_ZONE
|
|
