Win32:Zafi-D

is an email worm. It also has Trojan capabilities, switches the security programs off, and makes it impossible to run the utilities for process management and registry database editing. It is also able to spread through P2P networks.

When executed, the worm creates the file "Norton Update.exe" and a few files with random names and .dll extensions in the system folder (Windows\System or Windows\System32) with the copies of itself, and also a data file C:\S.cm. The worm creates more copies of itself in the folders with the string "shar" in their names. Those copies are named "winamp 5.7 new!.exe" or "ICQ 2005a new!.exe". That way the worm can spread through P2P networks.

The worm is activated at the Windows start due to a registry item ("Wxp4") in the subkey HKLM\Software\Microsoft\Windows\CurrentVersion\Run, having the value "%System%\Norton Update.exe".

The worm tries to contact the domain microsoft.com before it starts to spread. That way it finds if the computer is connected to the Internet. It searches for the mail addresses in the files with extensions adb, asp, dbx, eml, fpt, htm, inb, mbx, php, pmr, sht, tbb, txt, wab and in the address book. The addresses found are stored in the randomly named files with the dll extension in the system folder.

Zafi-D mails itself to the found addresses, except for the ones containing one of the strings: admi, cafee, ebm, google, help, hotm, info, kasper, micro, msn, panda, secure, sopho, suppor, syman, trend, use, viru, win or yahoo in them. The sender address is faked. The Subject of the infected mail is one of the strings:
boldog karacsony...
Buon Natale!
ecard.ru
Feliz Navidad!
Christmas - Kartki!
Christmas Kort!
Christmas pohlednice
Christmas postikorti!
Christmas Postkort!
Christmas Vykort!
Joyeux Noel!
Merry Christmas!
Prettige Kerstdagen!
Weihnachten card.

A short Christmas greeting in various languages is in the mail body. The attachment containing the worm has one of the extensions: bat, cmd, com, pif, zip.

The worm tries to kill processes with one of the strings msconfig, reged, task in their name. Due to this, the Task manager or registry database editor is impossible to run when the worm is active. Also, the folders containing strings cafee, kasper, panda, secur, sopho, syman, trend or viru are searched, and all the exe files found in them are tried to be killed.

The worm opens the TCP port 8181 and awaits incomming connections.

avast! with VPS file dated on or after 14th December 2004 is able to detect this worm.

Virus
Virus dans la Nature Les virus de Windows Anciens virus de Win 2002 Anciens virus de Win 2001 Anciens virus de Win 2000 Virus de Script Macro-virus Formulaire de rapp. de Virus Résumé de rapport de Virus Fichier de test Eicar Historique de VPS
Services d'inscription
Service d'inscr. de VPS (iAVS)
avast! Virus Cleaner
Home pageWeb site mapPrint this pagePrivacy policy
Copyright © 1988 - 2008 ALWIL Software a.s.
Home page
Virus  Les virus de Windows  Win32:Zafi-D