Introduction:
Mabezat is a Virus for the Windows Platform that spreads by copying itself to network shares and removable media.
Mabezat copies itself to removable/fixed media with one or more of the following names:
- Adjust Time.exe
- AmericanOnLine.exe
- Antenna2Net.exe
- BrowseAllUsers.exe
- CD Burner.exe
- Crack_GoogleEarthPro.exe
- Disk Defragmenter.exe
- FaxSend.exe
- FloppyDiskPartition.exe
- GoogleToolbarNotifier.exe
- HP_LaserJetAllInOneConfig.exe
- IDE Connector P2P.exe
- InstallMSN1Ar.exe
- InstallMSN1En.exe
- Audio dump.exe
- Lock Folder.exe
- LockWindowsPartition.exe
- Make Widowows Original.exe
- MakeUrOwnFamilyTree.exe
- Microsoft Windows Network.exe
- msjavx86.exe
- NokiaN73Tools.exe
- Office2007 Serial.exe
- PanasonicDVD_DigitalCam.exe
- RadioTV.exe
- Recycle Bin.exe
- RecycleBinProtect.exe
- ShowDesktop.exe
- Sony Erikson Digitalcam.exe
- Win98compatibleXp.exe
- Windows Keys Secrets.exe
- WindowsXP StartMenu Settings.exe
- WinRarSerialInstall.exe
Mabezat created on removable/fixed media .rar files with the following filenames:
- backup.rar
- documents_backup.rar
- imp_data.rar
- MyDocuments.rar
- office_crack.rar
- passwords.rar
- serials.rar
- source.rar
- windows.rar
- windows_secrets.rar
These archieve contain a file dropper: Readme.doc.
Exe W32/Mabezat-B When installed, the files are created:
%Profile%\hook.dl_
%Profile%\tazebama.dl_
%Profile%\tazebama.dll
%SystemDrive%\1.taz
%SystemDrive%\autorun.inf
%SystemDrive%\zPharaoh.exe
%AppData%\Microsoft\CD Burning\1.taz
%AppData%\Microsoft\CD Burning\autorun.inf
%AppData%\Microsoft\CD Burning\zPharaoh.exe
%appdata%\tazebama\zpharaoh.dat
%appdata%\tazebama\zpharaoh.exe
%appdata%\tazebama\zpharaoh.log
%appdata%\tazebama
The infection is spread by:
- Removable Storage Drives
- Network Shares
- Files Infected
Example in a report Hijack This infected Mabezat:
C:\Documents and Settings\tazebama.dl_
Example Mabezat infection found:
C:\DOCUME~1\PROPRI~1\APPLIC~1\tazebama
C:\Documents and Settings\tazebama.dll
C:\Documents and Settings\KSR\Appplication Data\tazabama\zPharaoh.dat
C:\Documents and Settings\hook.dl_
C:\zPharaoh.exe
C:\zPharaoh.inf
C:\Program Files\Microsoft Works\WkDStore.exe[Result] WORM/Mabezat.B.91 found
C:\Start Menu\Programs\Startup\zPharaoh.exe
C:\Documents and Settings\[User Name]\Appplication Data\tazabama\zPharaoh.dat
C:\Documents and Settings\My Documents\readme.doc.exe
Message of this type may appear:
"This application or DLL C:\documents and settings\tazebama.dll is not a valid windows image"
If you have Vista or 7:
You must disable UAC during disinfection.
Methods of Disinfection:
Several solutions are possible:
Method: Usbfix
The infection spread by removale drives, usbfix to able to remove a large part, however it is advisable to run Malwarebyte's Antimalware and Superantispyware afterwards.
UsbFix: Option 1
- Option 1 of Usbfix can find infection on the Computer and on all removale drives that you previously connected without opening them.
- Download "UsbFix" on the desktop.
- Connecting data souces external to the PC(USB,external hard drive, SD card, etc..) without opening them.
- Double-click the program UsbFix.exe on the desktop, the software will install automatically.
- Choose Option 1 (Search).
- After Completion on a Usbfix.txt report is saved in the root drive (C:\UsbFix.txt).
"Process.exe" , a component of the tool is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky Anti-Virus) as a RiskTool. It is not a Virus but a utility to terminate processes.
UsbFix: Option 2
- Option 2 UsbFix cleans infection found.
- Connecting data sources external to the PC (USB, External Hard Drive, SD card, etc...) without opening them.
- Double-Click the program UsbFix on the desktop.
- Choose Option 2 (Delete)
- The Desktop will disappear and restart the PC.
- Upon restart, UsbFix scan your PC, let the tool work.
- Again a report will be generated, simply post it on the appropriate forum.
MalwareBytes Anti-Malware
- Download and install Malwarebyte's Anti-Malware .
- At the end of the installation, make sure the option "update Malwarebyte's Anti-Malware" is checked.
- Run program and let the update process be comleted.
- Then go to the "Search" tab, check "Run a quick" then "Search".
- At the end of the scan, click on "Show Results".
- Check all items found and click "Remove Selected".
- The report is saved in the Report tab-Log Malwarebytes.
- If you are prompted to restart, accept.
Similarly, other third party softwares from them to be fixed.....
- Alternative Kit from Softpedia Download from here.
Online Scan
- Online Scan BitDifender
- Online Scan TrendMicro
- Online Scan Computer Associates
- Online Scan F-Secure
- Online Scan Kaspersky
More about this question
- http://home.mcafee.com/virusInfo/VirusProfile.aspx?key=143555#none
- http://www.symantec.com/security_response/writeup.jsp?docid=2007-120113-2635-99&tabid=3
- http://www.viruslist.com/sp/viruses/encyclopedia?vi..
- http://www.mcafee.com/threat-intelligence/malware/latest.aspx#nodata..
- http://www.cloudantivirus.com/fr/threat-informati..
- http://about-threats.trendmicro.com/ArchiveMalware.aspx..
