The following has been derived from information provided by Message Labs, Symantec, and Trend Micro.

Virus Characteristics

This Trojan is spreading as an attached file in email messages believed to be intentionally being sent out. One sample of these email messages has the following details:

From: Super-User
Subject: mail %Space% %Space%
Message Body: %Space% %Space% %Space% %Space%%Space% %Space%
%Space% %Space% Hello! %Space%check %Space%out%Space% %Space%
%Space%the %Space%best%Space%FREE%Space%site! %BR%
%Space% MessageID:k6z4 %Space%
MessageNumber: 36454 %Space% %BR% %Space%%Space%
Attachment: masteraz.exe(4.10 KB)

Note: this email is spoofed and its properties may be modified anytime by its sender.

When executed, this Trojan downloads the file COUNTER.C from the site http://masteraz.hypermart.net and saves this file as OUTPUT.EXE in the current folder. It then executes this file.

If it fails to download the file, it creates the following registry entry so that the Trojan runs when Windows is restarted.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
.inr\5Nzg1mOWKzFnuvu6 = %Trojan path and filename%

If the Trojan downloads the file successfully it creates the following entry:

HKEY_CLASSES_ROOT\.inr\5Nzg1mOWKzFnuvu6\Done
(Default) = Done

Regardless of the download results, this Trojan creates the following registry entry:

HKEY_CLASSES_ROOT\.inr\5Nzg1mOWKzFnuvu6
"Time" = %Hexadecimal equivalent of the time of download%

The above mentioned website has been closed down.

There appears to be multiple variances of the file that is dropped. Below is a list of the current files known:

Backdoor-AML - McAfee
BKDR_JEEM.A - Trend
Backdoor.Trojan - Symantec
Jeem - F-Secure


Additional Information - New Variant

MAZ.B is a new recompiled variant of Maz. The file still downloads almost the same backdoor, but since the old website has now been closed down, a new website is being used. An example of the mail follows:

Subject: Improve your Credit! %Space% %Space%

Text:

Hello! %Space% check %Space% out %Space% this %Space% site,

%Space% it is %Space% a %Space% great site!

%Space% %Space%

Attachment: jimkre.exe (size: 4096 bytes - UPX compressed)


Payload

Downloads and executes a backdoor a backdoor trojan


Preventative Measures

Block the following attachments: masteraz.exe and jimkre.exe at the gateway where possible.


Fixes Available

Network Associates:
Minimum DAT: 4233
Release Date: 11/13/2002
Minimum Engine: 4.1.60

Symantec:
Virus Definitions (Intelligent Updater): November 13, 2002
Virus Definitions (LiveUpdate): November 13, 2002

Trend:
Pattern File: 385, November 12, 2002
Minimum Scan Engine: 5.200