W32.Mabezat.B is a computer worm. It can infect executable files and encrypt data files. W32.Mabezat.B may spread via removable drives and shared folder. It will make changes to Windows registry that may result to disability of certain functions. This worm will take advantage of the Autorun feature in Windows to execute itself when the drive is accessed. The same task is applied to spread a copy on network computer and drop a copy on network shares.
Alias: Worm.Win32.Mabezat.b, W32/Mabezat, PE_MABEZAT.B-O, W32/Mabezat-B
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista
Upon execution, this worm will drop multiple files under Documents and Settings and User Profile folders. It will also create additional folders and files on the same location.
When the computer’s Autorun feature is active, it will utilize that function as method to spread itself. If the worm sense that Autorun is disabled, it will delete the following registry entry to reset the configuration.
Next, W32.Mabezat.B will set file attributes to hide system files through this registry key.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”ShowSuperHidden” = “0”
The worm will look for any shared folders, drives on the network, and drop a copy of the following files.
If it sense that network is protected with password, the worm will force its entry by using default user name and generated key.
W32.Mabezat.B also searches the compromised PC for .exe files. It encrypts the original file and replaces it with a copy of the worm.
This worm typically spreads via spam email messages. It is attached as executable file or RAR compressed data. When activated, it utilizes the infected computer to mass-mail a copy of itself to contacts found on victim’s address book. Here are some samples of the fraud email generated by W32.Mabezat.B.
Unfortunately, I received unformatted email with an attached file from you. I couldn’t understand what is behind the words. I wish you next time send me a readable file!. I forwarded the attached file again to evaluate yourself.
Subject: Web designer vacancy
Fortunately, we have recently received your CV/Resume from moister web site and we found it matching…
Thanks & Regards,
Subject: MBA new vision
MBA (Master of business administration ) one of the most required degree around the world. We offer…
How to Remove W32.Mabezat.B
Restore Windows ComponentsDuring an infection, W32.Mabezat.B drops various files. The worm intentionally hides system files by setting options in the registry. With these accomplishments, the best solution is to return Windows to previous working state is trough System Restore. If previous restore point is saved, you may proceed with Windows System Restore.
Manual Removal Procedure
1. If an anti-virus program is present, update the definition file. Each anti-virus program has its own way to update the database. Please refer to your software manufacturer’s manual.
2. Reboot Windows in Safe Mode to ensure that only minimal Windows components are loaded.
- After turning on the power of the computer, press F8 on your keyboard.
- It will display the Boot Options menu, select Safe Mode.
3. Run a full system scan and clean/delete all infected file.
4. Delete or modify any values added to the registry if present. Please see the reference. - To edit the registry, click on Start > Run and type regedit.exe in the field. - Alternatively, you may press Windows Key + R on your keyboard to open the RUN command.
5. Exit registry editor when done. You may now restart the computer.
Scan with Norton Power EraserA free removal tool from Norton Antivirus was developed to remove virus and unfamiliar threats without using the traditional AV signatures. Download the tool from this location and start scanning the computer for viruses.
Alternative Removal Method for W32.Mabezat.B
Option 1 : Use Windows System Restore to return Windows to previous state
If W32.Mabezat.B enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before W32.Mabezat.B infiltrates the PC, we highly encourage you to execute this procedure if none of the above works. You may proceed with Windows System Restore, click here to see the full procedure.
Option 2 : W32.Mabezat.B manual uninstall guide
IMPORTANT! Manual removal of W32.Mabezat.B requires technical skills. Deleting system files and registry entries by mistake may result to total disability of Windows system. We advise you to perform a backup of registry before proceeding with this guide.
1. Kill any running process that belongs to W32.Mabezat.B.
- Press Ctrl+Alt+Del on your keyboard.
- When Windows Task Manager appears, look for W32.Mabezat.B files (refer to Technical Reference) and click End Process.
2. Delete all registry entries that belong to this malware.
- Press [Windows Key]+R on your keyboard.
- In the 'Open' dialog box, type regedit and press Enter. This will open registry editor.
- Find and delete registry entries as mentioned in Technical Reference section below.
- Close registry editor. Changes made will be save automatically.
3. Scan the computer with antivirus program.
- Connect to Internet and open your antivirus software. Please update to obtain the latest database and necessary files.
- Restart the computer in Safe Mode.
- Just before Windows logo begins to load press F8 on your keyboard.
- On Windows Advanced Boot Options, select Safe Mode and press Enter.
4. Delete all files dropped by W32.Mabezat.B.
- While still in Safe Mode, search and delete malicious files. Please refer to 'Technical Reference'. Make sure that you execute 'End Task' first before deleting the file. Otherwise, the system will not let you perform this action.
Associated Files and Folders:
%SystemDrive%\Documents and Settings\tazebama.dll
%SystemDrive%\Documents and Settings\hook.dl_
%SystemDrive%\Documents and Settings\tazebama.dll
%SystemDrive%\Documents and Settings\[USER NAME]\Application Data\tazebama
%SystemDrive%\Documents and Settings\[USER NAME]\Application Data\tazebama\tazebama.log
%SystemDrive%\Documents and Settings\[USER NAME]\Application Data\tazebama\zPharaoh.dat
[Network]My documents. exe
[Network]My Documents [SPACES].exe
File Location for Windows Versions:
- %UserProfile% for Vista/7 user is C:\Users\<Current User> for Windows Vista/7, for Windows XP/2000 this is C:\Documents and Settings\<Current User>.
- %System% for all versions of Windows it is located under C:\Windows\System32