Win32/Mabezat [Threat Name] go to Threat

Win32/Mabezat.A [Threat Variant Name]

Category virus
Size 155 KB
Aliases Worm.Win32.Mabezat.b (Kaspersky)
  W32/Mabezat (McAfee)
  Win32/Mabezat.A (Grisoft)
Short description

Win32/Mabezat.A is a polymorphic file infector.


When executed, the virus copies itself into the folder:

  • %drive%\­Documents and Settings\­

with the following file names:

  • tazebama.dl_
  • hook.dl_

The following file is dropped in the same folder:

  • tazebama.dll (32768 B)

The virus creates the following folders:

  • %appdata%\­tazebama\­

The following Registry entries are removed:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoDriveTypeAutoRun"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoDriveTypeAutoRun"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "HideFileExt" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0
Executable file infection

The virus infects executable files.

The virus searches for executables with one of the following extensions:

  • .exe

Executables are infected by appending the code of the virus to the end of the original file.

The host file is modified in a way that causes the virus to be executed prior to running the original code.


The virus copies itself into the root folders of all drives using the following name:

  • zPharaoh.exe

The following file is dropped in the same folder:

  • autorun.inf

The virus copies itself into existing folders of removable drives. The following names are used:

  • Adjust Time.exe
  • AmericanOnLine.exe
  • Antenna2Net.exe
  • BrowseAllUsers.exe
  • CD Burner.exe
  • Crack_GoogleEarthPro.exe
  • Disk Defragmenter.exe
  • FaxSend.exe
  • FloppyDiskPartion.exe
  • GoogleToolbarNotifier.exe
  • HP_LaserJetAllInOneConfig.exe
  • IDE Conector P2P.exe
  • InstallMSN11Ar.exe
  • InstallMSN11En.exe
  • JetAudio dump.exe
  • KasperSky6.0 Key.doc.exe
  • Lock Folder.exe
  • LockWindowsPartition.exe
  • Make Windows Original.exe
  • MakeUrOwnFamilyTree.exe
  • Microsoft MSN.exe
  • Microsoft Windows Network.exe
  • msjavx86.exe
  • NokiaN73Tools.exe
  • Office2003 CD-Key.doc.exe
  • Office2007 Serial.txt.exe
  • PanasonicDVD_DigitalCam.exe
  • RadioTV.exe
  • Recycle Bin.exe
  • RecycleBinProtect.exe
  • ShowDesktop.exe
  • Sony Erikson DigitalCam.exe
  • Win98compatibleXP.exe
  • Windows Keys Secrets.exe
  • WindowsXp StartMenu Settings.exe
  • WinrRarSerialInstall.exe

The name of the file may be based on the name of an existing file or folder.

The extension of the file is ".exe" .

Other information

If the current system date matches the condition, files with the following file extension will be encrypted:

  • .ASP
  • .ASPX
  • .ASPX.CS
  • .BAS
  • .C
  • .CPP
  • .DOC
  • .H
  • .HLP
  • .HTM
  • .HTML
  • .MDB
  • .MDF
  • .PAS
  • .PDF
  • .PHP
  • .PPT
  • .PSD
  • .RAR
  • .RTF
  • .TXT
  • .XLS
  • .ZIP

The virus may create copies of itself in the folder:

  • %userprofile%\­Local Settings\­Application Data\­Microsoft\­CD Burning\­

The following filename is used:

  • zPharaoh.exe

The following files may be dropped in the same folder:

  • autorun.inf

The virus may delete files stored in the following folders:

  • %userprofile%\­Local Settings\­Application Data\­Microsoft\­CD Burning\­

The virus may create the text file:

  • %appdata%\­tazebama\­zPharaoh.dat

The virus may create the following files in the %drive%\Documents and Settings\ folder:

  • MyDocuments.rar
  • backup.rar
  • documents_backup.rar
  • imp_data.rar
  • source.rar
  • windows_secrets.rar
  • passwords.rar
  • serials.rar
  • office_crack.rar
  • windows.rar

The archive contains an executable file.

The file is a part of the infiltration.

Please enable Javascript to ensure correct displaying of this content and refresh this page.