Mabezat removal


Mabezat is the most angry, vicious and smart I have ever seen (yet). It is a virus (not a Trojan and not a spyware) it DOES infect EXE files along with .MSI files and executables inside archives. The executable infected is not destroyed but will cause a full infection before it is started in any PC.

[ad#smallsquare]
Also, Mabezat uses flash disks, floppy disks and unsecured network connections to reproduce, it creates an autorun that will start the virus even when rightclick-open the infected drive (see here to open a disk infected with mabezat without being infected)

Mabezat is smart it creates fake files with interesting names relative in meaning to the folder they are created in (generally) such as:

Adjust Time.exe
AmericanOnLine.exe
Antenna2Net.exe
BrowseAllUsers.exe
CD Burner.exe
Crack_GoogleEarthPro.exe
Disk Defragmenter.exe
FaxSend.exe
FloppyDiskPartion.exe
GoogleToolbarNotifier.exe
HP_LaserJetAllInOneConfig.exe
IDE Conector P2P.exe
InstallMSN11Ar.exe
InstallMSN11En.exe
JetAudio dump.exe
KasperSky6.0 Key.doc.exe
Lock Folder.exe
LockWindowsPartition.exe
Make Windows Original.exe
MakeUrOwnFamilyTree.exe
Microsoft MSN.exe
Microsoft Windows Network.exe
msjavx86.exe
NokiaN73Tools.exe
Office2003 CD-Key.doc.exe
Office2007 Serial.txt.exe
PanasonicDVD_DigitalCam.exe
RadioTV.exe
Recycle Bin.exe
RecycleBinProtect.exe
ShowDesktop.exe
Sony Erikson DigitalCam.exe
Win98compatibleXP.exe
Windows Keys Secrets.exe
WindowsXp StartMenu Settings.exe
WinrRarSerialInstall.exe

Now How can you tell when you are infected

press Ctrl+Alt+del then click processes, do you see zPharaoh.exe? If yes.. Sorry you ARE infected.

What to do if you are infected?

If you Don’t have important files in your system I would recommend a format for all partitions (if you skip formatting non-system partitions you will end up with an infected new system in no time.

If you want to fight your way through you can but it is going to be a long painful process.

Mabezat removal instructions

First you have to believe that you are infected, every single .exe .msi file in your system as infected and there is nothing you can do without an antivirus (I could cleanup many other infections without an antivirus but not this one). I would recommend Kaspersky7 or Kaspersky2009
[ad#smallsquare]
You should download it in a non-infected computer then transfer it in some read only media ( A CD, read-only flash drive, a secured network share) otherwise the installer will get infected and useless. Install Kaspersky (Use the 30 days trial), update it. Now make sure you select disinfect every time and not delete or quarantine because we are talking about YOUR system’s files and deleting them will make your system unusable (explorer.exe which is in fact the start menu and all the other windows). You can only delete the files listed above in the fake files list and the following files.

zPharaoh.exe

tazebama.dll

autorun.ini

If the disinfect option does not work, make sure you update your antivirus (You know Mabezat disinfection remained impossible for months where no antivirus could do it even if it detected it).

First do a memory scan (Quick scan) to try to unload the virus from the memory because disinfection when the virus is active is a lost battle :).

Now run a full system scan and disinfect all infected files in all partitions and delete all fake files.

Now your system is clean but the battle is not over yet, you have to reverse all the changes the virus made and delete some files that the antivirus did not detect.

Navigate to %drive%\Documents and Settings\ folder and delete the following files:

MyDocuments.rar
backup.rar
documents_backup.rar
imp_data.rar
source.rar
windows_secrets.rar
passwords.rar
serials.rar
office_crack.rar
windows.rar
[ad#square]
now we should fix the registry.

Go to control panel | folder options | file types
Locate the REG extension
Click Advanced then click on “open” click Edit and enter
regedit.exe “%1”
into the “Application used to perform the action” field.

Now download and run the following angrybytecom-hiddenfiles-regfix it will allow you to see hidden files

This is most of it. And remember to use the notes in here to open and clean up any removable media you have.

Leave a Reply