W32.Mabezat.B

W32.Mabezat.B is a computer worm. It can infect executable files and encrypt data files. W32.Mabezat.B may spread via removable drives and shared folder. It will make changes to Windows registry that may result to disability of certain functions. This worm will take advantage of the Autorun feature in Windows to execute itself when the drive is accessed. The same task is applied to spread a copy on network computer and drop a copy on network shares.

Alias: Worm.Win32.Mabezat.b, W32/Mabezat, PE_MABEZAT.B-O, W32/Mabezat-B

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista

Characteristics
Upon execution, this worm will drop multiple files under Documents and Settings and User Profile folders. It will also create additional folders and files on the same location.

When the computer’s Autorun feature is active, it will utilize that function as method to spread itself. If the worm sense that Autorun is disabled, it will delete the following registry entry to reset the configuration.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun

Next, W32.Mabezat.B will set file attributes to hide system files through this registry key.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”ShowSuperHidden” = “0”

The worm will look for any shared folders, drives on the network, and drop a copy of the following files.
[DRIVE]:\zPharaoh.exe
[DRIVE]:\autorun.inf

If it sense that network is protected with password, the worm will force its entry by using default user name and generated key.

W32.Mabezat.B also searches the compromised PC for .exe files. It encrypts the original file and replaces it with a copy of the worm.

Distribution
This worm typically spreads via spam email messages. It is attached as executable file or RAR compressed data. When activated, it utilizes the infected computer to mass-mail a copy of itself to contacts found on victim’s address book. Here are some samples of the fraud email generated by W32.Mabezat.B.

Subject: hi
Attachment: notes.rar
Body:
Unfortunately, I received unformatted email with an attached file from you. I couldn’t understand what is behind the words. I wish you next time send me a readable file!. I forwarded the attached file again to evaluate yourself.

Subject: Web designer vacancy
Attachment: JobDetails.rar
Body:
Fortunately, we have recently received your CV/Resume from moister web site and we found it matching…
Thanks & Regards,
Ajy Bokra 

Subject: MBA new vision
Attachment: Marketing.rar
Body:
MBA (Master of business administration ) one of the most required degree around the world. We offer…
AjyKolav@tazeunv.com

How to Remove W32.Mabezat.B

Restore Windows Components

During an infection, W32.Mabezat.B drops various files. The worm intentionally hides system files by setting options in the registry. With these accomplishments, the best solution is to return Windows to previous working state is trough System Restore. If previous restore point is saved, you may proceed with Windows System Restore.

Manual Removal Procedure

1. If an anti-virus program is present, update the definition file. Each anti-virus program has its own way to update the database. Please refer to your software manufacturer’s manual.

2. Reboot Windows in Safe Mode to ensure that only minimal Windows components are loaded.
- After turning on the power of the computer, press F8 on your keyboard.
- It will display the Boot Options menu, select Safe Mode.

3. Run a full system scan and clean/delete all infected file.

4. Delete or modify any values added to the registry if present. Please see the reference. - To edit the registry, click on Start > Run and type regedit.exe in the field. - Alternatively, you may press Windows Key + R on your keyboard to open the RUN command.

5. Exit registry editor when done. You may now restart the computer.

Scan with Norton Power Eraser

A free removal tool from Norton Antivirus was developed to remove virus and unfamiliar threats without using the traditional AV signatures. Download the tool from this location and start scanning the computer for viruses.

Alternative Removal Method for W32.Mabezat.B

Option 1 : Use Windows System Restore to return Windows to previous state

If W32.Mabezat.B enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before W32.Mabezat.B infiltrates the PC, we highly encourage you to execute this procedure if none of the above works. You may proceed with Windows System Restore, click here to see the full procedure.

Option 2 : W32.Mabezat.B manual uninstall guide

IMPORTANT! Manual removal of W32.Mabezat.B requires technical skills. Deleting system files and registry entries by mistake may result to total disability of Windows system. We advise you to perform a backup of registry before proceeding with this guide.

1. Kill any running process that belongs to W32.Mabezat.B.
- Press Ctrl+Alt+Del on your keyboard.
- When Windows Task Manager appears, look for W32.Mabezat.B files (refer to Technical Reference) and click End Process.

End Task

2. Delete all registry entries that belong to this malware.
- Press [Windows Key]+R on your keyboard.
- In the 'Open' dialog box, type regedit and press Enter. This will open registry editor.
- Find and delete registry entries as mentioned in Technical Reference section below.
- Close registry editor. Changes made will be save automatically.

Run Regedit

3. Scan the computer with antivirus program.
- Connect to Internet and open your antivirus software. Please update to obtain the latest database and necessary files.
- Restart the computer in Safe Mode.
- Just before Windows logo begins to load press F8 on your keyboard.
- On Windows Advanced Boot Options, select Safe Mode and press Enter.

4. Delete all files dropped by W32.Mabezat.B.
- While still in Safe Mode, search and delete malicious files. Please refer to 'Technical Reference'. Make sure that you execute 'End Task' first before deleting the file. Otherwise, the system will not let you perform this action.

Associated Files and Folders:
%SystemDrive%\Documents and Settings\tazebama.dll
%SystemDrive%\Documents and Settings\hook.dl_
%UserProfile%\Start Menu\Programs\Startup\zPharoh.exe
%SystemDrive%\Documents and Settings\tazebama.dll
%SystemDrive%\Documents and Settings\[USER NAME]\Application Data\tazebama
%SystemDrive%\Documents and Settings\[USER NAME]\Application Data\tazebama\tazebama.log
%SystemDrive%\Documents and Settings\[USER NAME]\Application Data\tazebama\zPharaoh.dat
[DRIVE]:\zPharaoh.exe
[DRIVE]:\autorun.inf
[Network]My documents. exe
[Network]Readme.doc. exe
[Network]My Documents [SPACES].exe

File Location for Windows Versions:
  • %UserProfile% for Vista/7 user is C:\Users\<Current User> for Windows Vista/7, for Windows XP/2000 this is C:\Documents and Settings\<Current User>.
  • %System% for all versions of Windows it is located under C:\Windows\System32

34 Responses

  1. precisesecurity says:

    We have tried this and work on Windows2000/XP, dont know if it will work on server.
    1. Download removal tool from this page and save it on your Desktop.
    2. After downloading, double-click on to install the application.
    3. Follow the prompts and install as “default” only
    4. If it prompts to update the database after installation, please proceed.

    5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
    6. Scan your computer thoroughly.
    7. When scanning is finished, click on the “Show Results”
    8. Make sure that all detected threats are marked, click on Remove Selected.
    9. Restart Windows.

  2. abbes says:

    Thanks, I will try and will tell you about the result but if it doesn’t work I will show you Ok? Now I’m going to take my dinner then go to the bed because it’s too late here and I feel tired today, I had many work this morning and I’m afraid will see them on my dream.
    So tazebama and Mr. Gate are permanently in my computer playing cards and having alcoholic drinks.

  3. Samuel Gitta says:

    The system restore tab is not available when I go to Properties of “My Computer”. However, I have gone to the registry and added the value as you recommend but am not sure it helps because I jumped the steps in between.

  4. precisesecurity says:

    Famart, you can use Flash Disinfector to remove threats on flash drives.

  5. sof2yan says:

    Hello,

    I can’t follow step 5 as I’m not allowed to open regedit. I don’t see the start menu. It seems like I don’t have Administrator status anymore. I did a full virus analysis and deleted about 70 files but I can’t finish your protocol.
    Any idea?
    Thanks a lot anyway.

    Bye

  6. rodjes says:

    I followed through all the procedures, only that I didn’t find the system restore tab on the properties of my computer, and I even couldn’t user the Microsoft guide to get to it, how ever I run/msconfig, and when to the system utility, and un checked the system restore service.

    Then followed through the steps, but again couldn’t find the
    – %SystemDrive%\Documents and Settings\tazebama.dl_
    – %SystemDrive%\Documents and Settings\hook.dl_
    – %UserProfile%\Start Menu\Programs\Startup\zPharoh.exe
    – %SystemDrive%\Documents and Settings\tazebama.dll
    – [DRIVE]:\zPharaoh.exe
    – [DRIVE]:\autorun

    So I guessed it hadn’t created those, or my Eset NOd 32 had deleted them, there fore I just continued with the procedures to the end, some body advise otherwise where need be please.
    Thanks,
    Rod

  7. Thoko says:

    Hi

    Our system has been hit by mabezat virus, all our computer which a connected to the server they cant access their profiles it gives an error message that says : local profile cannot be found you will currently be logged on a temporary file, I have update antivirus scanned the system got 1890 virus on the server.

    Thanks and Regards

    Thoko

  8. Robert says:

    Thanks for the great solution!
    Our server computer had over 7500 viruses and 99 % of them were the Mabezat worm.. It has now been cleaned by this solution and by Avast! Antivirus.

    I can only recommend Avast!, since it is a very powerful antivirus. And if you have Home Edition, you can use it freely without any payment. You only need to register with a received registration code (free of course).

    Thanks again for this great solution.

    – Robert

  9. Sreenivasa says:

    Hello Friends,

    I our college all systems affected with tazebalm.dll virus.If i remove also automatically create each time when i used to execute Java Executable files. I am unable to use Java due to this. Please give me a solution to permanently removing tazebalm.dll from all systems

  10. jumhong says:

    Hi,

    You will not beat this virus if you will not remove some of its files that were system, hidden and read-only.

    You have to do it manually by going to following drives:
    – %SystemDrive%\Documents and Settings\
    – %UserProfile%\Start Menu\Programs\Startup\
    – [RootDrive]:\
    – [USB Drive]:\

    1. Go to Start>Run and type “cmd” for command prompt
    2. On each drive, type “attrib” to view attributed files.
    3. To remove the attributes, type “-s -h -r filename”
    4. Delete the file, “del filename”
    5. After deleting all files, scan your computer with antivirus programs.

  11. Mwakhulegwa says:

    Kaspersky does the whole trick. It saved me a lot of stress, in fact mysql had been taken plus my installation files.
    Go for Kaspersky do a full scan and restart your server.

  12. Master says:

    I need help my laptop was infected by mabezat. I downloaded rmmabez.exe and scanned the PC. The virus was removed but my desktop is still not populated nor respond to left or right clicks. My taskbar is also not there.

    I tried the system restore route but it did not help. I can only access programs and files via alt+del+ctrl new task route.

    Can anyone help restore my computer.

  13. HJ says:

    Hi
    I really need urgent help!!
    I am a DJ with over 18 000 songs!!!
    this ”mazebat” worm infected my pc because my norton was not updated!!
    the pc was taken to IT experts..they removed it

    BUT ALL MY MUSIC!! AND MUSIC APPS HAVE BEEN REMOVED BY THE VIRUS!!!
    please I really need help on how to restore all the files

    thanks in advance!
    HJ

  14. Per Andersson says:

    Sorry HJ for your loss of musicfiles but its not the virus
    that has removed the songs, its the IT-“experts”.

  15. biniam says:

    hi i got a virus in my pc and i removed the virus using avg but i lost my file so any one can help me how to restore all the files

    thanks in advance!
    biniam

  16. SIBI says:

    hi Biniam retrive ur deleted files r recover files from formated disk u use format recovery software it recover all d files :-@

  17. Mike47 says:

    I got infected too.
    But before you do all these, you have to stop it first.
    Open the notepad, and save the following as .bat:

    TASKKILL /F /IM “tazebama.dl_”
    %SystemDrive%\Documents and Settings\tazebama.dl_
    %SystemDrive%\Documents and Settings\hook.dl_
    %UserProfile%\Start Menu\Programs\Startup\zPharoh.exe
    %SystemDrive%\Documents and Settings\tazebama.dll

    c:-dir/ah
    attrib -s -h -r C:\autorun.inf
    attrib -s -h -r C:\zPharaoh.exe
    del c:\autorun.inf
    del c:\zPharaoh.exe

    Depending on your drives letters, re-type the last 5 lines and consider changing the drive letter.

  18. Mike47 says:

    Note also that, there are files created on 5 levels of folders, each files has the name of its upper-level name, but with the extension .exe, in addition to other file taken from your system.

    You can find them, if you do make a deep search with the following criteria:
    – *.exe
    – all computer drives
    – size at most 152 KB

    Sort the found files depending on the size
    Delete all these files that has this size.

  19. HR jagath says:

    Remove the Win32/mabezat.B(tazebama.dl_)virus

  20. HR jagath says:

    Remov the win32/mabezat.B(tazebama.dl_)virus

  21. lucky says:

    sir,i’m problem wit my phone .i connected my nokia n73 t0 my friends computer,since then my phone can’t read its memory card. i formatted d phone memory and d memory card still yet no progress.pls i need your help.

  22. Adaku says:

    What a relief to find this site! I was using my nokia E71 phone to browse the net when all of a sudden my memory card files were nowhere to be found! I checked my memory card status and dicovered that it was the way it was b4 it became corrupted. I formatted and tried to retrieve the data to no avail. when I take pictures itstores them but when I go to gallery I dont c them…pls help me I have a lot of my kids’ priceless pics that I dont want to lose. Tnx in advance.

  23. Inder says:

    Virus had effected my statup files, when I login through my user or administrator itz logouts myself. I am unable to start up the windows. I had installed windows XP, can anybody help me.

  24. Salman says:

    When the virus Win32/Mabezat executed, this worm drops the following files:

    * C:\Documents and Settings\ tazebama.dl_
    * C:\Documents and Settings\ hook.dl_
    * C:\Start MenuProgramsStartup \zPharoh.exe
    * C:\Documents and Settings[User Name]ApplicationData \tazebama zPharaoh.dat
    * C:\Documents and Settings My Documents\ readme.doc .exe
    * [Drive Letter c:]: zPharaoh.exe
    * [Drive Letter d: ]: zPharaoh.inf

    Method of Infection

    This worm spreads by copying itself to network shares and to removable devices, along with an “Autorun.inf”.

    Infection starts eithere with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.

    * Presence of the files and registry entries mentioned earlier
    * Presence of the following autorun.inf file on the root of removable, fixed and network drives:

    Check your auto run file

    [ AutoRun]
    shell Execute=zPharaoh.exe
    shell\open\command=zPharaoh.exe
    shell\open\command=zPharaoh.exe
    open=zPharaoh.exe

    If u find this in the autorun file dude you are also infected by a deadly virus called Win32/Mabezat

    you can check hidden files in your system by clicking this link below and download this software called ProcessSHR.exe

    4shared.com/account/file/PBc_IeYe/ProcessSHR.html

    Remove and clean infected files

    Go to this link below and download a tool called ” Rmmabez – virus remover tool for Win32/Mabezat”

    4shared.com/account/file/-vaLNguL/Rmmabez_virus_remover_tool.html

    or go to

    download.avg.com/filedir/util/avg_rem_sup.dir/rmmabez/rmmabez.exe

    For any help you guys can contact me on my mail id….

  25. BilalRj says:

    Really thanks ,, It helped :)
    Tip: Use Avast it’s the best !!

  26. senthil nathan says:

    my system has a lot of virus problem

  27. Joy Madalane says:

    Hello

    I have the Mezabet virus on my system I think…

    It creates duplicate folders of almost every folder eg. “My Music” when I open it there’s another “My Music” contained and other files are created all over

    This is only in my slave drive, which I use to store music and pictures!

    How can I remove it

  28. Abraxas357 says:

    Thanks really useful stuff. Mazebat/a/b all seem to react differently and require different approaches, stopping all autorun and blocking shares contained it well enough to allow for the great clensing thx.

  29. JOSEPH EL-NAHAS says:

    HI NCAN YOU HELP ME TO REMOVE WIN32.MABEZAT WORM VIRUS. THANK YOU

  30. lina shadin says:

    hi, my pc (windows 7) is infected with mabezat.a virus that my eset antivirus couldnt delete so i followed some of the instructions here i temporarly Disabled the System Restore and i started deleting all the values added to the registry as u instructed above but suddently my pc shut down and now it is unable to start up … i dont know whats wrong .. plz let me know what to do. thanks

  31. starf1sh says:

    tried this one, also used the norton power eraser, not all of the mabezat virus was removed. my pc is still infected and mabezat is still spreading.

  32. Netra Tamang says:

    Woh!!! My pc is infected with worm.win32.mabezat.b it could not be disinfected/neutralised through Kaspersky antivirus any body would help me. Is there any solution for removal ?Thanks

  33. hassan says:

    thank you

  34. Alan says:

    Salman, you gave the best answer
    download.avg.com/filedir/util/avg_rem_sup.dir/rmmabez/rmmabez.exe

Leave a Reply

Your email address will not be published. Required fields are marked *