Mabezat is the most angry, vicious and smart I have ever seen (yet). It is a virus (not a Trojan and not a spyware) it DOES infect EXE files along with .MSI files and executables inside archives. The executable infected is not destroyed but will cause a full infection before it is started in any PC.
Also, Mabezat uses flash disks, floppy disks and unsecured network connections to reproduce, it creates an autorun that will start the virus even when rightclick-open the infected drive (see here to open a disk infected with mabezat without being infected)
Mabezat is smart it creates fake files with interesting names relative in meaning to the folder they are created in (generally) such as:Adjust Time.exe
IDE Conector P2P.exe
Make Windows Original.exe
Microsoft Windows Network.exe
Sony Erikson DigitalCam.exe
Windows Keys Secrets.exe
WindowsXp StartMenu Settings.exe
Now How can you tell when you are infected
press Ctrl+Alt+del then click processes, do you see zPharaoh.exe? If yes.. Sorry you ARE infected.
What to do if you are infected?
If you Don’t have important files in your system I would recommend a format for all partitions (if you skip formatting non-system partitions you will end up with an infected new system in no time.
If you want to fight your way through you can but it is going to be a long painful process.
Mabezat removal instructions
First you have to believe that you are infected, every single .exe .msi file in your system as infected and there is nothing you can do without an antivirus (I could cleanup many other infections without an antivirus but not this one). I would recommend Kaspersky7 or Kaspersky2009
You should download it in a non-infected computer then transfer it in some read only media ( A CD, read-only flash drive, a secured network share) otherwise the installer will get infected and useless. Install Kaspersky (Use the 30 days trial), update it. Now make sure you select disinfect every time and not delete or quarantine because we are talking about YOUR system’s files and deleting them will make your system unusable (explorer.exe which is in fact the start menu and all the other windows). You can only delete the files listed above in the fake files list and the following files.
If the disinfect option does not work, make sure you update your antivirus (You know Mabezat disinfection remained impossible for months where no antivirus could do it even if it detected it).
First do a memory scan (Quick scan) to try to unload the virus from the memory because disinfection when the virus is active is a lost battle :).
Now run a full system scan and disinfect all infected files in all partitions and delete all fake files.
Now your system is clean but the battle is not over yet, you have to reverse all the changes the virus made and delete some files that the antivirus did not detect.
Navigate to %drive%\Documents and Settings\ folder and delete the following files:
now we should fix the registry.
Go to control panel | folder options | file types
Locate the REG extension
Click Advanced then click on “open” click Edit and enter
into the “Application used to perform the action” field.
Now download and run the following angrybytecom-hiddenfiles-regfix it will allow you to see hidden files
This is most of it. And remember to use the notes in here to open and clean up any removable media you have.