W32.Mabezat.B
W32.Mabezat.B is a computer worm. It can infect executable files and encrypt data files. W32.Mabezat.B may spread via removable drives and shared folder. It will make changes to Windows registry that may result to disability of certain functions. This worm will take advantage of the Autorun feature in Windows to execute itself when the drive is accessed. The same task is applied to spread a copy on network computer and drop a copy on network shares.
Alias: Worm.Win32.Mabezat.b, W32/Mabezat, PE_MABEZAT.B-O, W32/Mabezat-B
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista
Characteristics
Upon execution, this worm will drop multiple files under Documents and Settings and User Profile folders. It will also create additional folders and files on the same location.
When the computer’s Autorun feature is active, it will utilize that function as method to spread itself. If the worm sense that Autorun is disabled, it will delete the following registry entry to reset the configuration.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
Next, W32.Mabezat.B will set file attributes to hide system files through this registry key.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”ShowSuperHidden” = “0″
The worm will look for any shared folders, drives on the network, and drop a copy of the following files.
[DRIVE]:\zPharaoh.exe
[DRIVE]:\autorun.inf
If it sense that network is protected with password, the worm will force its entry by using default user name and generated key.
W32.Mabezat.B also searches the compromised PC for .exe files. It encrypts the original file and replaces it with a copy of the worm.
Distribution
This worm typically spreads via spam email messages. It is attached as executable file or RAR compressed data. When activated, it utilizes the infected computer to mass-mail a copy of itself to contacts found on victim’s address book. Here are some samples of the fraud email generated by W32.Mabezat.B.
Associated Files and Folders:Subject: hi
Attachment: notes.rar
Body:
Unfortunately, I received unformatted email with an attached file from you. I couldn’t understand what is behind the words. I wish you next time send me a readable file!. I forwarded the attached file again to evaluate yourself.Subject: Web designer vacancy
Attachment: JobDetails.rar
Body:
Fortunately, we have recently received your CV/Resume from moister web site and we found it matching…
Thanks & Regards,
Ajy BokraSubject: MBA new vision
Attachment: Marketing.rar
Body:
MBA (Master of business administration ) one of the most required degree around the world. We offer…
AjyKolav@tazeunv.com
%SystemDrive%\Documents and Settings\tazebama.dl_ %SystemDrive%\Documents and Settings\hook.dl_ %UserProfile%\Start Menu\Programs\Startup\zPharoh.exe %SystemDrive%\Documents and Settings\tazebama.dll %SystemDrive%\Documents and Settings\[USER NAME]\Application Data\tazebama %SystemDrive%\Documents and Settings\[USER NAME]\Application Data\tazebama\tazebama.log %SystemDrive%\Documents and Settings\[USER NAME]\Application Data\tazebama\zPharaoh.dat [DRIVE]:\zPharaoh.exe [DRIVE]:\autorun.inf [Network]My documents .exe [Network]Readme.doc .exe [Network]My Documents [SPACES].exe
File Location for Windows Versions:
- %UserProfile% for Vista/7 user is C:\Users\<Current User> for Windows Vista/7, for Windows XP/2000 this is C:\Documents and Settings\<Current User>.
- %System% for all versions of Windows it is located under C:\Windows\System32
How to Remove W32.Mabezat.B
Restore Windows Components
During an infection, W32.Mabezat.B drops various files. The worm intentionally hides system files by setting options in the registry. With these accomplishments, the best solution is to return Windows to previous working state is trough System Restore. If previous restore point is saved, you may proceed with Windows System Restore.Manual Removal Procedure
1. If an anti-virus program is present, update the definition file. Each anti-virus program has its own way to update the database. Please refer to your software manufacturer’s manual.
2. Reboot Windows in Safe Mode to ensure that only minimal Windows components are loaded.
- After turning on the power of the computer, press F8 on your keyboard.
- It will display the Boot Options menu, select Safe Mode.
3. Run a full system scan and clean/delete all infected file.
4. Delete or modify any values added to the registry if present. Please see the reference. - To edit the registry, click on Start > Run and type regedit.exe in the field. - Alternatively, you may press Windows Key + R on your keyboard to open the RUN command.
5. Exit registry editor when done. You may now restart the computer.
Babu Nair
Jan 30, 2008 @ 04:42:58
This virus affected our server. How can I remove this from the Server.
Your help is requested.
Nusrath Ali
Jun 18, 2008 @ 13:52:49
Dear sir,
We have the important system in our network and they are affected with tazabama virus. Please I need a removal tool for tazebama virus urgently.
Thank You
precisesecurity
Jun 18, 2008 @ 14:40:03
We have tried this and work on Windows2000/XP, dont know if it will work on server.
1. Download removal tool from this page and save it on your Desktop.
2. After downloading, double-click on to install the application.
3. Follow the prompts and install as “default” only
4. If it prompts to update the database after installation, please proceed.
5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
6. Scan your computer thoroughly.
7. When scanning is finished, click on the “Show Results”
8. Make sure that all detected threats are marked, click on Remove Selected.
9. Restart Windows.
abbes
Jul 01, 2008 @ 22:18:58
Thanks, I will try and will tell you about the result but if it doesn’t work I will show you Ok? Now I’m going to take my dinner then go to the bed because it’s too late here and I feel tired today, I had many work this morning and I’m afraid will see them on my dream.
So tazebama and Mr. Gate are permanently in my computer playing cards and having alcoholic drinks.
Samuel Gitta
Sep 17, 2008 @ 05:08:24
The system restore tab is not available when I go to Properties of “My Computer”. However, I have gone to the registry and added the value as you recommend but am not sure it helps because I jumped the steps in between.
famart
Oct 28, 2008 @ 11:25:08
How to completely remove this worm from a flash drive. I used Norton but there was still some unresolved ones. How can I do this? I need help.
precisesecurity
Oct 29, 2008 @ 08:34:49
Famart, you can use Flash Disinfector to remove threats on flash drives.
sof2yan
Dec 07, 2008 @ 13:39:59
Hello,
I can’t follow step 5 as I’m not allowed to open regedit. I don’t see the start menu. It seems like I don’t have Administrator status anymore. I did a full virus analysis and deleted about 70 files but I can’t finish your protocol.
Any idea?
Thanks a lot anyway.
Bye
rodjes
Jan 10, 2009 @ 21:56:20
I followed through all the procedures, only that I didn’t find the system restore tab on the properties of my computer, and I even couldn’t user the Microsoft guide to get to it, how ever I run/msconfig, and when to the system utility, and un checked the system restore service.
Then followed through the steps, but again couldn’t find the
– %SystemDrive%\Documents and Settings\tazebama.dl_
- %SystemDrive%\Documents and Settings\hook.dl_
- %UserProfile%\Start Menu\Programs\Startup\zPharoh.exe
- %SystemDrive%\Documents and Settings\tazebama.dll
- [DRIVE]:\zPharaoh.exe
- [DRIVE]:\autorun
So I guessed it hadn’t created those, or my Eset NOd 32 had deleted them, there fore I just continued with the procedures to the end, some body advise otherwise where need be please.
Thanks,
Rod
Sreejith
Mar 23, 2009 @ 15:58:47
My Windows 2003 server is affected by Tezebama.dll. Anybody can help me?
Thoko
Apr 09, 2009 @ 07:07:08
Hi
Our system has been hit by mabezat virus, all our computer which a connected to the server they cant access their profiles it gives an error message that says : local profile cannot be found you will currently be logged on a temporary file, I have update antivirus scanned the system got 1890 virus on the server.
Thanks and Regards
Thoko
Robert
Apr 27, 2009 @ 05:55:47
Thanks for the great solution!
Our server computer had over 7500 viruses and 99 % of them were the Mabezat worm.. It has now been cleaned by this solution and by Avast! Antivirus.
I can only recommend Avast!, since it is a very powerful antivirus. And if you have Home Edition, you can use it freely without any payment. You only need to register with a received registration code (free of course).
Thanks again for this great solution.
– Robert
Sreenivasa
Aug 18, 2009 @ 18:24:42
Hello Friends,
I our college all systems affected with tazebalm.dll virus.If i remove also automatically create each time when i used to execute Java Executable files. I am unable to use Java due to this. Please give me a solution to permanently removing tazebalm.dll from all systems
jumhong
Aug 19, 2009 @ 00:33:34
Hi,
You will not beat this virus if you will not remove some of its files that were system, hidden and read-only.
You have to do it manually by going to following drives:
- %SystemDrive%\Documents and Settings\
- %UserProfile%\Start Menu\Programs\Startup\
- [RootDrive]:\
- [USB Drive]:\
1. Go to Start>Run and type “cmd” for command prompt
2. On each drive, type “attrib” to view attributed files.
3. To remove the attributes, type “-s -h -r filename”
4. Delete the file, “del filename”
5. After deleting all files, scan your computer with antivirus programs.
Mwakhulegwa
Aug 20, 2009 @ 12:43:13
Kaspersky does the whole trick. It saved me a lot of stress, in fact mysql had been taken plus my installation files.
Go for Kaspersky do a full scan and restart your server.
Master
Sep 11, 2009 @ 10:30:37
I need help my laptop was infected by mabezat. I downloaded rmmabez.exe and scanned the PC. The virus was removed but my desktop is still not populated nor respond to left or right clicks. My taskbar is also not there.
I tried the system restore route but it did not help. I can only access programs and files via alt+del+ctrl new task route.
Can anyone help restore my computer.
HJ
Oct 05, 2009 @ 14:20:50
Hi
I really need urgent help!!
I am a DJ with over 18 000 songs!!!
this ”mazebat” worm infected my pc because my norton was not updated!!
the pc was taken to IT experts..they removed it
BUT ALL MY MUSIC!! AND MUSIC APPS HAVE BEEN REMOVED BY THE VIRUS!!!
please I really need help on how to restore all the files
thanks in advance!
HJ
Per Andersson
Oct 15, 2009 @ 17:49:14
Sorry HJ for your loss of musicfiles but its not the virus
that has removed the songs, its the IT-”experts”.
biniam
Dec 17, 2009 @ 14:24:04
hi i got a virus in my pc and i removed the virus using avg but i lost my file so any one can help me how to restore all the files
thanks in advance!
biniam
SIBI
Jan 11, 2010 @ 04:24:26
hi Biniam retrive ur deleted files r recover files from formated disk u use format recovery software it recover all d files :-@
Mike47
Jan 11, 2010 @ 18:53:43
I got infected too.
But before you do all these, you have to stop it first.
Open the notepad, and save the following as .bat:
TASKKILL /F /IM “tazebama.dl_”
%SystemDrive%\Documents and Settings\tazebama.dl_
%SystemDrive%\Documents and Settings\hook.dl_
%UserProfile%\Start Menu\Programs\Startup\zPharoh.exe
%SystemDrive%\Documents and Settings\tazebama.dll
c:-dir/ah
attrib -s -h -r C:\autorun.inf
attrib -s -h -r C:\zPharaoh.exe
del c:\autorun.inf
del c:\zPharaoh.exe
Depending on your drives letters, re-type the last 5 lines and consider changing the drive letter.
Mike47
Jan 11, 2010 @ 18:58:58
Note also that, there are files created on 5 levels of folders, each files has the name of its upper-level name, but with the extension .exe, in addition to other file taken from your system.
You can find them, if you do make a deep search with the following criteria:
- *.exe
- all computer drives
- size at most 152 KB
Sort the found files depending on the size
Delete all these files that has this size.
HR jagath
Jan 23, 2010 @ 11:11:37
Remove the Win32/mabezat.B(tazebama.dl_)virus
HR jagath
Jan 23, 2010 @ 11:18:10
Remov the win32/mabezat.B(tazebama.dl_)virus
lucky
Feb 22, 2010 @ 13:36:17
sir,i’m problem wit my phone .i connected my nokia n73 t0 my friends computer,since then my phone can’t read its memory card. i formatted d phone memory and d memory card still yet no progress.pls i need your help.
Adaku
Mar 10, 2010 @ 23:44:51
What a relief to find this site! I was using my nokia E71 phone to browse the net when all of a sudden my memory card files were nowhere to be found! I checked my memory card status and dicovered that it was the way it was b4 it became corrupted. I formatted and tried to retrieve the data to no avail. when I take pictures itstores them but when I go to gallery I dont c them…pls help me I have a lot of my kids’ priceless pics that I dont want to lose. Tnx in advance.
Inder
Apr 15, 2010 @ 05:12:05
Virus had effected my statup files, when I login through my user or administrator itz logouts myself. I am unable to start up the windows. I had installed windows XP, can anybody help me.
Salman
Jun 05, 2010 @ 14:13:57
When the virus Win32/Mabezat executed, this worm drops the following files:
* C:\Documents and Settings\ tazebama.dl_
* C:\Documents and Settings\ hook.dl_
* C:\Start MenuProgramsStartup \zPharoh.exe
* C:\Documents and Settings[User Name]ApplicationData \tazebama zPharaoh.dat
* C:\Documents and Settings My Documents\ readme.doc .exe
* [Drive Letter c:]: zPharaoh.exe
* [Drive Letter d: ]: zPharaoh.inf
Method of Infection
This worm spreads by copying itself to network shares and to removable devices, along with an “Autorun.inf”.
Infection starts eithere with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.
* Presence of the files and registry entries mentioned earlier
* Presence of the following autorun.inf file on the root of removable, fixed and network drives:
Check your auto run file
[ AutoRun]
shell Execute=zPharaoh.exe
shell\open\command=zPharaoh.exe
shell\open\command=zPharaoh.exe
open=zPharaoh.exe
If u find this in the autorun file dude you are also infected by a deadly virus called Win32/Mabezat
you can check hidden files in your system by clicking this link below and download this software called ProcessSHR.exe
4shared.com/account/file/PBc_IeYe/ProcessSHR.html
Remove and clean infected files
Go to this link below and download a tool called ” Rmmabez – virus remover tool for Win32/Mabezat”
4shared.com/account/file/-vaLNguL/Rmmabez_virus_remover_tool.html
or go to
download.avg.com/filedir/util/avg_rem_sup.dir/rmmabez/rmmabez.exe
For any help you guys can contact me on my mail id….
BilalRj
Jul 25, 2010 @ 16:28:55
Really thanks ,, It helped :)
Tip: Use Avast it’s the best !!
senthil nathan
Sep 06, 2010 @ 09:48:34
my system has a lot of virus problem
Joy Madalane
Oct 17, 2010 @ 08:03:12
Hello
I have the Mezabet virus on my system I think…
It creates duplicate folders of almost every folder eg. “My Music” when I open it there’s another “My Music” contained and other files are created all over
This is only in my slave drive, which I use to store music and pictures!
How can I remove it
Abraxas357
Nov 08, 2010 @ 10:43:12
Thanks really useful stuff. Mazebat/a/b all seem to react differently and require different approaches, stopping all autorun and blocking shares contained it well enough to allow for the great clensing thx.
JOSEPH EL-NAHAS
Apr 05, 2011 @ 10:44:36
HI NCAN YOU HELP ME TO REMOVE WIN32.MABEZAT WORM VIRUS. THANK YOU
lina shadin
May 05, 2011 @ 22:55:50
hi, my pc (windows 7) is infected with mabezat.a virus that my eset antivirus couldnt delete so i followed some of the instructions here i temporarly Disabled the System Restore and i started deleting all the values added to the registry as u instructed above but suddently my pc shut down and now it is unable to start up … i dont know whats wrong .. plz let me know what to do. thanks
starf1sh
Aug 23, 2011 @ 23:19:54
tried this one, also used the norton power eraser, not all of the mabezat virus was removed. my pc is still infected and mabezat is still spreading.
Netra Tamang
Oct 30, 2011 @ 14:24:54
Woh!!! My pc is infected with worm.win32.mabezat.b it could not be disinfected/neutralised through Kaspersky antivirus any body would help me. Is there any solution for removal ?Thanks
hassan
Nov 10, 2011 @ 22:33:24
thank you