How To Remove Win32/Mabezat, Win32/Mabezat.A, Win32/Mabezat.B, Worm.Win32.Mabezat.b

Overview

This description is for a worm that is capable of spreading through removable devices and network shares.

The characteristics of this worm in regards to file names, folders created etc. will differ from one version to another. Hence, this is a general description.

Aliases

• W32/Mabezat.b [Sophos]

• Win32/Mabezat [AVG Grisoft]

• Win32/Mabezat.A [Nod32]

• Win32/Mabezat.B [Microsft]

• Worm.Win32.Mabezat.b [Kaspersky]

Characteristics

When executed, this worm drops the following files:

• C:Documents and Settingstazebama.dl_
• C:Documents and Settingshook.dl_
• C:Start MenuProgramsStartupzPharoh.exe
• C:Documents and Settings[User Name]ApplicationDatatazebamazPharaoh.dat
• C:Documents and SettingsMy Documentsreadme.doc .exe
• [Drive Letter]:zPharaoh.exe
• [Drive Letter]:zPharaoh.inf

Note:

• The above files may have their attributes changed to hidden and system, inorder to make these files harder to find.

The worm then modifies the following registry entry to reset the drive autorun settings:

• Hkey_Current_UserSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “NoDriveTypeAutoRun”

The worm then copies itself to all removable devices and open network shares along with an autorun.inf file.

It also searches for executable files on the machine and infects them. While doing this, it ensures that the icons of the original executables are maintained.

Symptoms

• Presence of the files and registry entries mentioned earlier
• Presence of the following autorun.inf file on the root of removable, fixed and network drives:

Method of Infection

This worm spreads by copying itself to network shares and to removable devices, along with an “Autorun.inf”.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.

Remove and clean infected files

just follow these steps :

1- If you have an anti virus that detected the infected files don’t delete any of infected file because if you did the system will be broken.

2- Go to any clean PC and download Kaspersky Removal tools from ( Here )

3- When you finish the download put the exe file of Kaspersky Removal tools in a compressed file zip file recommended (we put it in compressed file to protect the exe file from getting infected ).

4- Now go back to the infected PC and reboot with the safe mode some viruses disable the safe mode you can download a registry file from ( Here ) to fix the safe mode problem.

5- If you done to get into the safe mode run Kaspersky Removal tools that you compressed then it will start and you will see the interface like this picture :

6- Now click on setting then you will see like this picture and do the same setting in it :

7- When you finish the setting click OK then click on Scan button it will start scan and disinfect the infected files and remove the virus files .

** Some times the virus could disable regedit and task manager and folder options you can download these files to repair the problems

[ Enable Registry ] [ Enable Taskmanagr ] [ Enable Folder Options ] [ Restore Hidden Files ]

For any suggestion just comment it or contact us .

Related posts:

1. How To Remove Virus.Win32.Sality.aa Win32/Sality.AM W32/Sality.ah
2. Removal of W32/AutoRun.NAN Worm (Worm.Win32.AutoRun.nan, Worm:W32/AutoRun.GF) (Manual)
3. Removal of W32/VB.LN Worm (IM-Worm.Win32.VB.ln, W32/VB-DGA, WORM_VB.GMM) (Manual)
4. How To Remove Conficker Worm And Protect Yourself Step By Step With VirusExperts.org Removal Package
5. How to Remove olhrwef.exe (Magania Trojan / Worm) Manually