How to delete Win32.Mabezat - Removal tool, fix instructions

Name: Win32.Mabezat

Aliases: Worm.Win32.Mabezat.b (Kaspersky), W32/Mabezat (McAfee), Win32/Mabezat.A (Grisoft)

Type: Virus

Size: approximately 155 KB

First appeared on: December 01, 2007

Damage: Medium

Brief Description: Win32.Mabezat is a worm that spreads through email, removable drives and network shares protected by weak passwords. It also infects executable files and encrypts data files.

Visible Symptoms: Once executed, the worm drops the following files in the folder %DriveLetter%\Documents and Settings:
tazebama.dll (32,768 bytes)
tazebama.dl_ (154,751 bytes)
hook.dl_ (154,751 bytes)

It may also copy itself to the %UserProfile%\Local Settings\Application Data\Microsoft\CD Burning folder using the following filename: zPharaoh.exe

Technical description: When executed, the virus copies itself in the:

%drive%\Documents and Settings\

folder with the following file names:
tazebama.dl_
hook.dl_

The following file is dropped in the same folder:

tazebama.dll (32768 B)

The virus creates the following folders:

%appdata%\tazebama\

The following Registry entries are removed:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoDriveTypeAutoRun"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoDriveTypeAutoRun"

The following Registry entries are set:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "Hidden" = 2

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "HideFileExt" = 1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "ShowSuperHidden" = 0

The virus infects executable files. The virus searches for executables with one of the following extensions: .exe

Executables are infected by appending the code of the virus to the end of the original file. The host file is modified in a way that causes the virus to be executed prior to running the original code.

The virus copies itself into the root folders of all drives using the following name:

zPharaoh.exe

The following file is dropped in the same folder: autorun.inf

The virus copies itself into existing folders of removable drives. The following filenames are used:

Adjust Time.exe
AmericanOnLine.exe
Antenna2Net.exe
BrowseAllUsers.exe
CD Burner.exe
Crack_GoogleEarthPro.exe
Disk Defragmenter.exe
FaxSend.exe
FloppyDiskPartion.exe
GoogleToolbarNotifier.exe
HP_LaserJetAllInOneConfig.exe
IDE Conector P2P.exe
InstallMSN11Ar.exe
InstallMSN11En.exe
JetAudio dump.exe
KasperSky6.0 Key.doc.exe
Lock Folder.exe
LockWindowsPartition.exe
Make Windows Original.exe
MakeUrOwnFamilyTree.exe
Microsoft MSN.exe
Microsoft Windows Network.exe
msjavx86.exe
NokiaN73Tools.exe
Office2003 CD-Key.doc.exe
Office2007 Serial.txt.exe
PanasonicDVD_DigitalCam.exe
RadioTV.exe
Recycle Bin.exe
RecycleBinProtect.exe
ShowDesktop.exe
Sony Erikson DigitalCam.exe
Win98compatibleXP.exe
Windows Keys Secrets.exe
WindowsXp StartMenu Settings.exe
WinrRarSerialInstall.exe

The name of the file may be based on the name of an existing file or folder. The extension of the file is ".exe".

If the current system date matches the condition, files with the following file extension will be encrypted:

.ASP .ASPX .ASPX .CS .BAS .C .CPP .DOC .H .HLP .HTM .HTML .MDB
.MDF .PAS .PDF .PHP .PPT .PSD .RAR .RTF .TXT .XLS .ZIP

The worm also attempts to copy itself through network shares protected by weak passwords using the following user names: anonymous administrator

Then the worm copies itself to the network shares using the following file names:

My documents .exe
Readme.doc .exe
My Documents [SPACES].exe

The worm may then send emails with the following characteristics:

Subject: ABOUT PEOPLE WITH WHOM MATRIMONY IS PROHIBITED
Attachment: PROHIBITED_MATRIMONY.rar

Subject: Windows secrets
Attachment: FolderPW_CH(1).rar

Subject: Canada immigration
Attachment: IMM_Forms_E01.rar

Subject: Viruses history
Attachments: virushistory.rar

Subject: Web designer vacancy
Attachment: JobDetails.rar

Subject: MBA new vision
Attachment: Marketing.rar

Subject: problem
Attachment: outlooklog.rar

Subject: hi
Attachment: notes.rar

The virus may create copies of itself in the folder:

%userprofile%\Local Settings\Application Data\Microsoft\CD Burning\

If successful the following filename is used:

zPharaoh.exe

The following files may be dropped in the same folder: autorun.inf

The virus may delete files stored in the following folders: %userprofile%\Local Settings\Application Data\Microsoft\CD Burning\

The virus may create the text file: %appdata%\tazebama\zPharaoh.dat

The virus may create the following files in the %drive%\Documents and Settings\ folder:

MyDocuments.rar
backup.rar
documents_backup.rar
imp_data.rar
source.rar
windows_secrets.rar
passwords.rar
serials.rar
office_crack.rar
windows.rar

The archive contains an executable file. The file is a part of the infiltration.

Propagation: Win32.Mabezat is a network-aware worm that attempts to replicate across the existing network.

Removal instruction:

1. Delete registry values created by Win32.Mabezat.
2. Download the following files rmmabez.exe from AVG.
3. Restart computer, then run the removal tool with parameter C:\ to heal the infected files. You can specify more drives (example: rmmabez C:\ D:\).