W32.Mabezat.B

W32.Mabezat.B is a computer worm. It can infect executable files and encrypt data files. W32.Mabezat.B may spread via removable drives and shared folder. It will make changes to Windows registry that may result to disability of certain functions. This worm will take advantage of the Autorun feature in Windows to execute itself when the drive is accessed. The same task is applied to spread a copy on network computer and drop a copy on network shares.

Alias: Worm.Win32.Mabezat.b, W32/Mabezat, PE_MABEZAT.B-O, W32/Mabezat-B

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista

Characteristics
Upon execution, this worm will drop multiple files under Documents and Settings and User Profile folders. It will also create additional folders and files on the same location.

When the computer’s Autorun feature is active, it will utilize that function as method to spread itself. If the worm sense that Autorun is disabled, it will delete the following registry entry to reset the configuration.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun

Next, W32.Mabezat.B will set file attributes to hide system files through this registry key.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”ShowSuperHidden” = “0″

The worm will look for any shared folders, drives on the network, and drop a copy of the following files.
[DRIVE]:\zPharaoh.exe
[DRIVE]:\autorun.inf

If it sense that network is protected with password, the worm will force its entry by using default user name and generated key.

W32.Mabezat.B also searches the compromised PC for .exe files. It encrypts the original file and replaces it with a copy of the worm.

Distribution
This worm typically spreads via spam email messages. It is attached as executable file or RAR compressed data. When activated, it utilizes the infected computer to mass-mail a copy of itself to contacts found on victim’s address book. Here are some samples of the fraud email generated by W32.Mabezat.B.

Subject: hi
Attachment: notes.rar
Body:
Unfortunately, I received unformatted email with an attached file from you. I couldn’t understand what is behind the words. I wish you next time send me a readable file!. I forwarded the attached file again to evaluate yourself.

Subject: Web designer vacancy
Attachment: JobDetails.rar
Body:
Fortunately, we have recently received your CV/Resume from moister web site and we found it matching…
Thanks & Regards,
Ajy Bokra 

Subject: MBA new vision
Attachment: Marketing.rar
Body:
MBA (Master of business administration ) one of the most required degree around the world. We offer…
AjyKolav@tazeunv.com 

Associated Files and Folders:
%SystemDrive%\Documents and Settings\tazebama.dl_
%SystemDrive%\Documents and Settings\hook.dl_
%UserProfile%\Start Menu\Programs\Startup\zPharoh.exe
%SystemDrive%\Documents and Settings\tazebama.dll
%SystemDrive%\Documents and Settings\[USER NAME]\Application Data\tazebama
%SystemDrive%\Documents and Settings\[USER NAME]\Application Data\tazebama\tazebama.log
%SystemDrive%\Documents and Settings\[USER NAME]\Application Data\tazebama\zPharaoh.dat
[DRIVE]:\zPharaoh.exe
[DRIVE]:\autorun.inf
[Network]My documents .exe
[Network]Readme.doc .exe
[Network]My Documents [SPACES].exe
File Location for Windows Versions:
  • %UserProfile% for Vista/7 user is C:\Users\<Current User> for Windows Vista/7, for Windows XP/2000 this is C:\Documents and Settings\<Current User>.
  • %System% for all versions of Windows it is located under C:\Windows\System32

How to Remove W32.Mabezat.B

Restore Windows Components

During an infection, W32.Mabezat.B drops various files. The worm intentionally hides system files by setting options in the registry. With these accomplishments, the best solution is to return Windows to previous working state is trough System Restore. If previous restore point is saved, you may proceed with Windows System Restore.

Manual Removal Procedure

1. If an anti-virus program is present, update the definition file. Each anti-virus program has its own way to update the database. Please refer to your software manufacturer’s manual.

2. Reboot Windows in Safe Mode to ensure that only minimal Windows components are loaded.
- After turning on the power of the computer, press F8 on your keyboard.
- It will display the Boot Options menu, select Safe Mode.

3. Run a full system scan and clean/delete all infected file.

4. Delete or modify any values added to the registry if present. Please see the reference. - To edit the registry, click on Start > Run and type regedit.exe in the field. - Alternatively, you may press Windows Key + R on your keyboard to open the RUN command.

5. Exit registry editor when done. You may now restart the computer.

Scan with Norton Power Eraser

A free removal tool from Norton Antivirus was developed to remove virus and unfamiliar threats without using the traditional AV signatures. Download the tool from this location and start scanning the computer for viruses.

What to do next...