HI
Please advice :Win32.Mabezat-K (worm)detected by avast in: System restore,in a computer game(on my hard disk)and in d.Is that a false positive or a real one?
Thanks
EP
Hi crow,
You could update the infected file to VirusTotal and give the results in your next posting. From the following information you can establish whether you were infected by this PE-file infecting worm:
You could have been infected through a Network Drive, a infected USB stick. etc.
Displaying Results for threat
Win32/Mabezat.A
Names,aliases:
Win32/Mabezat.B(eTrust-Vet), Worm.Win32.Mabezat.b (F-Secure), Worm.Win32.Mabezat.b (Ikarus), Worm.Win32.Mabezat.b (Kaspersky), W32/Mabezat.a (McAfee), Win32/Mabezat.A (NOD32v2), Win32.Malware.gen!92 (Webwasher-Gateway)
Behavior:
Polymorphic parasitic file infector of executable files, use removable media and shared folders in LAN to propagate itself.
Description:
Once executed, the worm drops the following files in the folder %DriveLetter%\Documents and Settings:
tazebama.dll (32,768 bytes)
tazebama.dl_ (154,751 bytes)
hook.dl_ (154,751 bytes)
Modifies the following registry entry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“SuperHidden”=dword:00000000
“Hidden”=dword:00000001
Enables drive autorun by removing entries:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
“NoDriveTypeAutoRun”
It may also copy itself to the %UserProfile%\Local Settings\Application Data\Microsoft\CD Burning
folder using the following filename:
zPharaoh.exe
Creates the following folder %DriveLetter%\Documents and Settings%UserProfile%\Application Data\tazebama
for its own use.
If the current system date matches the condition: year greater or equal 2012, month greater or equal 10 and day greater or equal 16, files with the following extensions are encrypted:
*.TXT
*.BAS
*.C
*.MDB
*.ZIP
*.RAR
*.DOC
*.XLS
*.CPP
*.H
*.PAS
*.ASP
*.PHP
*.PPT
*.HTM
*.RTF
*.MDF
*.PSD
*.ASPX
*.ASPX.CS
*.HTML
*.PDF
*.HLP
The encryption consists simply of adding 0x10 to each byte of the file.
Executable files infection:
The virus searches for executables on local drives and on the network. Executables are infected by the overwriting instructions at the entry point. The original code is then stored at the end of file.
Propagation
Copies itself in root folders of drives using the following filename: zPharaoh.exe
The virus also creates the following file: autorun.inf
with the following content:
[AutoRun]
ShellExecute=zPharaoh.exe
shell\open\command=zPharaoh.exe
shell\explore\command=zPharaoh.exe
open=zPharaoh.exe
This causes the virus to be executed each time the user opens the corresponding removable drive using Windows Explorer.
Removing:
Remove infected files and restore them from backup.
Or you could try this remover: http://www.softpedia.com/progDownload/Win32-Mabezat-Remover-Download-105652.html
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.
Thank you Polonus for your extensive reply, and the link you supplied,however,please note that my question regarded:
Win32-Mabezat-k ,not the few you mentioned in your post.
Regards
Ep
The same family are likely to have the same registry entries and associate files. The idea is to check and see if you have any registry entry like this or any of the associated files with the future dates, etc…
Thank you David r for your reply.
By now Ive deleted the suspicious apparent virus from my PC,I even deleted one Mabezat entry in the registry, and didn
t get to send it to virus total. If it shows up again I shall do just that.
Regards
EP
No problem, it is hard to think rationally when the alligators are snapping at your behind ;D