W32.Mabezat.B is a computer worm. It can infect executable files and encrypt data files. W32.Mabezat.B may spread via removable drives and shared folder. It will make changes to Windows registry that may result to disability of certain functions. This worm will take advantage of the Autorun feature in Windows to execute itself when the drive is accessed. The same task is applied to spread a copy on network computer and drop a copy on network shares.

Alias: Worm.Win32.Mabezat.b, W32/Mabezat, PE_MABEZAT.B-O, W32/Mabezat-B

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista

Upon execution, this worm will drop multiple files under Documents and Settings and User Profile folders. It will also create additional folders and files on the same location.

When the computer’s Autorun feature is active, it will utilize that function as method to spread itself. If the worm sense that Autorun is disabled, it will delete the following registry entry to reset the configuration.

Next, W32.Mabezat.B will set file attributes to hide system files through this registry key.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”ShowSuperHidden” = “0”

The worm will look for any shared folders, drives on the network, and drop a copy of the following files.

If it sense that network is protected with password, the worm will force its entry by using default user name and generated key.

W32.Mabezat.B also searches the compromised PC for .exe files. It encrypts the original file and replaces it with a copy of the worm.

This worm typically spreads via spam email messages. It is attached as executable file or RAR compressed data. When activated, it utilizes the infected computer to mass-mail a copy of itself to contacts found on victim’s address book. Here are some samples of the fraud email generated by W32.Mabezat.B.

Subject: hi
Attachment: notes.rar
Unfortunately, I received unformatted email with an attached file from you. I couldn’t understand what is behind the words. I wish you next time send me a readable file!. I forwarded the attached file again to evaluate yourself.

Subject: Web designer vacancy
Attachment: JobDetails.rar
Fortunately, we have recently received your CV/Resume from moister web site and we found it matching…
Thanks & Regards,
Ajy Bokra 

Subject: MBA new vision
Attachment: Marketing.rar
MBA (Master of business administration ) one of the most required degree around the world. We offer…

34 Responses

  1. precisesecurity says:

    We have tried this and work on Windows2000/XP, dont know if it will work on server.
    1. Download removal tool from this page and save it on your Desktop.
    2. After downloading, double-click on to install the application.
    3. Follow the prompts and install as “default” only
    4. If it prompts to update the database after installation, please proceed.

    5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
    6. Scan your computer thoroughly.
    7. When scanning is finished, click on the “Show Results”
    8. Make sure that all detected threats are marked, click on Remove Selected.
    9. Restart Windows.

  2. abbes says:

    Thanks, I will try and will tell you about the result but if it doesn’t work I will show you Ok? Now I’m going to take my dinner then go to the bed because it’s too late here and I feel tired today, I had many work this morning and I’m afraid will see them on my dream.
    So tazebama and Mr. Gate are permanently in my computer playing cards and having alcoholic drinks.

  3. Samuel Gitta says:

    The system restore tab is not available when I go to Properties of “My Computer”. However, I have gone to the registry and added the value as you recommend but am not sure it helps because I jumped the steps in between.

  4. precisesecurity says:

    Famart, you can use Flash Disinfector to remove threats on flash drives.

  5. sof2yan says:


    I can’t follow step 5 as I’m not allowed to open regedit. I don’t see the start menu. It seems like I don’t have Administrator status anymore. I did a full virus analysis and deleted about 70 files but I can’t finish your protocol.
    Any idea?
    Thanks a lot anyway.


  6. rodjes says:

    I followed through all the procedures, only that I didn’t find the system restore tab on the properties of my computer, and I even couldn’t user the Microsoft guide to get to it, how ever I run/msconfig, and when to the system utility, and un checked the system restore service.

    Then followed through the steps, but again couldn’t find the
    – %SystemDrive%\Documents and Settings\tazebama.dl_
    – %SystemDrive%\Documents and Settings\hook.dl_
    – %UserProfile%\Start Menu\Programs\Startup\zPharoh.exe
    – %SystemDrive%\Documents and Settings\tazebama.dll
    – [DRIVE]:\zPharaoh.exe
    – [DRIVE]:\autorun

    So I guessed it hadn’t created those, or my Eset NOd 32 had deleted them, there fore I just continued with the procedures to the end, some body advise otherwise where need be please.

  7. Thoko says:


    Our system has been hit by mabezat virus, all our computer which a connected to the server they cant access their profiles it gives an error message that says : local profile cannot be found you will currently be logged on a temporary file, I have update antivirus scanned the system got 1890 virus on the server.

    Thanks and Regards


  8. Robert says:

    Thanks for the great solution!
    Our server computer had over 7500 viruses and 99 % of them were the Mabezat worm.. It has now been cleaned by this solution and by Avast! Antivirus.

    I can only recommend Avast!, since it is a very powerful antivirus. And if you have Home Edition, you can use it freely without any payment. You only need to register with a received registration code (free of course).

    Thanks again for this great solution.

    – Robert

  9. Sreenivasa says:

    Hello Friends,

    I our college all systems affected with tazebalm.dll virus.If i remove also automatically create each time when i used to execute Java Executable files. I am unable to use Java due to this. Please give me a solution to permanently removing tazebalm.dll from all systems

  10. jumhong says:


    You will not beat this virus if you will not remove some of its files that were system, hidden and read-only.

    You have to do it manually by going to following drives:
    – %SystemDrive%\Documents and Settings\
    – %UserProfile%\Start Menu\Programs\Startup\
    – [RootDrive]:\
    – [USB Drive]:\

    1. Go to Start>Run and type “cmd” for command prompt
    2. On each drive, type “attrib” to view attributed files.
    3. To remove the attributes, type “-s -h -r filename”
    4. Delete the file, “del filename”
    5. After deleting all files, scan your computer with antivirus programs.

  11. Mwakhulegwa says:

    Kaspersky does the whole trick. It saved me a lot of stress, in fact mysql had been taken plus my installation files.
    Go for Kaspersky do a full scan and restart your server.

  12. Master says:

    I need help my laptop was infected by mabezat. I downloaded rmmabez.exe and scanned the PC. The virus was removed but my desktop is still not populated nor respond to left or right clicks. My taskbar is also not there.

    I tried the system restore route but it did not help. I can only access programs and files via alt+del+ctrl new task route.

    Can anyone help restore my computer.

  13. HJ says:

    I really need urgent help!!
    I am a DJ with over 18 000 songs!!!
    this ”mazebat” worm infected my pc because my norton was not updated!!
    the pc was taken to IT experts..they removed it

    please I really need help on how to restore all the files

    thanks in advance!

  14. Per Andersson says:

    Sorry HJ for your loss of musicfiles but its not the virus
    that has removed the songs, its the IT-“experts”.

  15. biniam says:

    hi i got a virus in my pc and i removed the virus using avg but i lost my file so any one can help me how to restore all the files

    thanks in advance!

  16. SIBI says:

    hi Biniam retrive ur deleted files r recover files from formated disk u use format recovery software it recover all d files :-@

  17. Mike47 says:

    I got infected too.
    But before you do all these, you have to stop it first.
    Open the notepad, and save the following as .bat:

    TASKKILL /F /IM “tazebama.dl_”
    %SystemDrive%\Documents and Settings\tazebama.dl_
    %SystemDrive%\Documents and Settings\hook.dl_
    %UserProfile%\Start Menu\Programs\Startup\zPharoh.exe
    %SystemDrive%\Documents and Settings\tazebama.dll

    attrib -s -h -r C:\autorun.inf
    attrib -s -h -r C:\zPharaoh.exe
    del c:\autorun.inf
    del c:\zPharaoh.exe

    Depending on your drives letters, re-type the last 5 lines and consider changing the drive letter.

  18. Mike47 says:

    Note also that, there are files created on 5 levels of folders, each files has the name of its upper-level name, but with the extension .exe, in addition to other file taken from your system.

    You can find them, if you do make a deep search with the following criteria:
    – *.exe
    – all computer drives
    – size at most 152 KB

    Sort the found files depending on the size
    Delete all these files that has this size.

  19. HR jagath says:

    Remove the Win32/mabezat.B(tazebama.dl_)virus

  20. HR jagath says:

    Remov the win32/mabezat.B(tazebama.dl_)virus

  21. lucky says:

    sir,i’m problem wit my phone .i connected my nokia n73 t0 my friends computer,since then my phone can’t read its memory card. i formatted d phone memory and d memory card still yet no progress.pls i need your help.

  22. Adaku says:

    What a relief to find this site! I was using my nokia E71 phone to browse the net when all of a sudden my memory card files were nowhere to be found! I checked my memory card status and dicovered that it was the way it was b4 it became corrupted. I formatted and tried to retrieve the data to no avail. when I take pictures itstores them but when I go to gallery I dont c them…pls help me I have a lot of my kids’ priceless pics that I dont want to lose. Tnx in advance.

  23. Inder says:

    Virus had effected my statup files, when I login through my user or administrator itz logouts myself. I am unable to start up the windows. I had installed windows XP, can anybody help me.

  24. Salman says:

    When the virus Win32/Mabezat executed, this worm drops the following files:

    * C:\Documents and Settings\ tazebama.dl_
    * C:\Documents and Settings\ hook.dl_
    * C:\Start MenuProgramsStartup \zPharoh.exe
    * C:\Documents and Settings[User Name]ApplicationData \tazebama zPharaoh.dat
    * C:\Documents and Settings My Documents\ readme.doc .exe
    * [Drive Letter c:]: zPharaoh.exe
    * [Drive Letter d: ]: zPharaoh.inf

    Method of Infection

    This worm spreads by copying itself to network shares and to removable devices, along with an “Autorun.inf”.

    Infection starts eithere with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.

    * Presence of the files and registry entries mentioned earlier
    * Presence of the following autorun.inf file on the root of removable, fixed and network drives:

    Check your auto run file

    [ AutoRun]
    shell Execute=zPharaoh.exe

    If u find this in the autorun file dude you are also infected by a deadly virus called Win32/Mabezat

    you can check hidden files in your system by clicking this link below and download this software called ProcessSHR.exe


    Remove and clean infected files

    Go to this link below and download a tool called ” Rmmabez – virus remover tool for Win32/Mabezat”


    or go to


    For any help you guys can contact me on my mail id….

  25. BilalRj says:

    Really thanks ,, It helped :)
    Tip: Use Avast it’s the best !!

  26. senthil nathan says:

    my system has a lot of virus problem

  27. Joy Madalane says:


    I have the Mezabet virus on my system I think…

    It creates duplicate folders of almost every folder eg. “My Music” when I open it there’s another “My Music” contained and other files are created all over

    This is only in my slave drive, which I use to store music and pictures!

    How can I remove it

  28. Abraxas357 says:

    Thanks really useful stuff. Mazebat/a/b all seem to react differently and require different approaches, stopping all autorun and blocking shares contained it well enough to allow for the great clensing thx.

  29. JOSEPH EL-NAHAS says:


  30. lina shadin says:

    hi, my pc (windows 7) is infected with mabezat.a virus that my eset antivirus couldnt delete so i followed some of the instructions here i temporarly Disabled the System Restore and i started deleting all the values added to the registry as u instructed above but suddently my pc shut down and now it is unable to start up … i dont know whats wrong .. plz let me know what to do. thanks

  31. starf1sh says:

    tried this one, also used the norton power eraser, not all of the mabezat virus was removed. my pc is still infected and mabezat is still spreading.

  32. Netra Tamang says:

    Woh!!! My pc is infected with worm.win32.mabezat.b it could not be disinfected/neutralised through Kaspersky antivirus any body would help me. Is there any solution for removal ?Thanks

  33. hassan says:

    thank you

  34. Alan says:

    Salman, you gave the best answer

Leave a Reply

Your email address will not be published. Required fields are marked *