What is the Mabezat / Tazebama infection?

Introduction:

Mabezat is a Virus for the Windows Platform that spreads by copying itself to network shares and removable media.

Mabezat  copies itself to removable/fixed media with one or more of the following names:

- Adjust Time.exe

- AmericanOnLine.exe

- Antenna2Net.exe

- BrowseAllUsers.exe

- CD Burner.exe

- Crack_GoogleEarthPro.exe

- Disk Defragmenter.exe

- FaxSend.exe

- FloppyDiskPartition.exe

- GoogleToolbarNotifier.exe

- HP_LaserJetAllInOneConfig.exe

- IDE Connector P2P.exe

- InstallMSN1Ar.exe

- InstallMSN1En.exe

- Audio dump.exe

- Lock Folder.exe

- LockWindowsPartition.exe

- Make Widowows Original.exe

- MakeUrOwnFamilyTree.exe

- Microsoft Windows Network.exe

- msjavx86.exe

- NokiaN73Tools.exe

- Office2007 Serial.exe

- PanasonicDVD_DigitalCam.exe

- RadioTV.exe

- Recycle Bin.exe

- RecycleBinProtect.exe

- ShowDesktop.exe

- Sony Erikson Digitalcam.exe

- Win98compatibleXp.exe

- Windows Keys Secrets.exe

- WindowsXP StartMenu Settings.exe

- WinRarSerialInstall.exe

Mabezat created on removable/fixed media .rar files with the following filenames:

- backup.rar

- documents_backup.rar

- imp_data.rar

- MyDocuments.rar

- office_crack.rar

- passwords.rar

- serials.rar

- source.rar

- windows.rar

- windows_secrets.rar

These archieve contain a file dropper: Readme.doc. 

Exe W32/Mabezat-B When installed, the files are created:

%Profile%\hook.dl_

%Profile%\tazebama.dl_ 

%Profile%\tazebama.dll

%SystemDrive%\1.taz

%SystemDrive%\autorun.inf

%SystemDrive%\zPharaoh.exe

%AppData%\Microsoft\CD Burning\1.taz

%AppData%\Microsoft\CD Burning\autorun.inf

%AppData%\Microsoft\CD Burning\zPharaoh.exe

%appdata%\tazebama\zpharaoh.dat

%appdata%\tazebama\zpharaoh.exe

%appdata%\tazebama\zpharaoh.log

%appdata%\tazebama

The infection is spread by:

• Removable Storage Drives
• Network Shares
• Files Infected

Example in a report Hijack This infected Mabezat:

Download "Hijack This"

C:\Documents and Settings\tazebama.dl_

Example Mabezat infection found:

C:\DOCUME~1\PROPRI~1\APPLIC~1\tazebama

C:\Documents and Settings\tazebama.dll

C:\Documents and Settings\KSR\Appplication Data\tazabama\zPharaoh.dat

C:\Documents and Settings\hook.dl_

C:\zPharaoh.exe

C:\zPharaoh.inf

C:\Program Files\Microsoft Works\WkDStore.exe[Result] WORM/Mabezat.B.91 found

C:\Start Menu\Programs\Startup\zPharaoh.exe

C:\Documents and Settings\[User Name]\Appplication Data\tazabama\zPharaoh.dat 

C:\Documents and Settings\My Documents\readme.doc.exe

Message of this type may appear:

"This application or DLL C:\documents and settings\tazebama.dll is not a valid windows image"

If you have Vista or 7:

You must disable UAC during disinfection.

Methods of Disinfection:

Several solutions are possible:

Method: Usbfix

The infection spread by removale drives, usbfix to able to remove a large part, however it is advisable to run Malwarebyte's Antimalware and Superantispyware afterwards.

UsbFix: Option 1

• Option 1 of Usbfix can find infection on the Computer and on all removale drives that you previously connected without opening them.
• Download "UsbFix" on the desktop.
• Connecting data souces external to the PC(USB,external hard drive, SD card, etc..) without opening them.
• Double-click the program UsbFix.exe on the desktop, the software will install automatically.
• Choose Option 1 (Search).
• After Completion on a Usbfix.txt report is saved in the root drive (C:\UsbFix.txt).

"Process.exe" , a component of the tool is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky Anti-Virus) as a RiskTool. It is not a Virus but a utility to terminate processes.

UsbFix: Option 2 

• Option 2 UsbFix cleans infection found.
•  Connecting data sources external to the PC (USB, External Hard Drive, SD card, etc...) without opening them.
• Double-Click the program UsbFix on the desktop.
• Choose Option 2 (Delete)
• The Desktop will disappear and restart the PC.
• Upon restart, UsbFix scan your PC, let the tool work.
• Again a report will be generated, simply post it on the appropriate forum.

 MalwareBytes Anti-Malware

• Download and install Malwarebyte's Anti-Malware .
• At the end of the installation, make sure the option "update Malwarebyte's Anti-Malware" is checked.
• Run program and let the update process be comleted.
• Then go to the "Search" tab, check "Run a quick" then "Search".
• At the end of the scan, click on "Show Results".
• Check all items found and click "Remove Selected".
• The report is saved in the Report tab-Log Malwarebytes.
• If you are prompted to restart, accept.

Similarly, other third party softwares from them to be fixed.....

• Alternative Kit from Softpedia Download from here.

Online Scan

• Online Scan BitDifender
• Online Scan TrendMicro
• Online Scan Computer Associates
• Online Scan F-Secure
• Online Scan Kaspersky

More about this question

• http://home.mcafee.com/virusInfo/VirusProfile.aspx?key=143555#none
• http://www.symantec.com/security_response/writeup.jsp?docid=2007-120113-2635-99&tabid=3
• http://www.viruslist.com/sp/viruses/encyclopedia?vi..
• http://www.mcafee.com/threat-intelligence/malware/latest.aspx#nodata..
• http://www.cloudantivirus.com/fr/threat-informati..
• http://about-threats.trendmicro.com/ArchiveMalware.aspx..