A new worm - W32.Zafi.B@mm

June 15, 2004

W32

Worm - W32.Zafi.B@mm (English Version Only)

 

Alias

W32/Zafi.b, Worm_Zafi.B, Zafi.B, PE_PAFI.B, W32.Erkez.B@mm

Description

W32.Zafi.B@mm is a mass-mailing worm that sends email messages by using its own SMTP engine and spoofing the "From:" address.  The email message may arrive with a random named attachment.  Also, the worm will also propagate through P2P and copy itself to the folder with "share" or "upload" string contained in the folder name in the local system.  The following file will be dropped: 

o        winamp 7.0 full_install.exe

o        Total Commander 7.0 full_install.exe

Once the worm is executed, several additional files will be created to the Windows Systems Directory with a random .DLL or .EXE name.  For detail description of email message format, please refer to Appendix .

When the worm's file is run, the following Registry key will be added:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "_Hazafibb" = "%SysDir%\<random>.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\_Hazafibb

Payload

  • Sends email messages with its own SMTP engine to all found e-mail addresses from Windows Address Book, files with the following extension will be checked:
    • htm
    • wab
    • txt
    • dbx
    • tbb
    • asp
    • php
    • sht
    • adb
    • mbx
    • eml
    • pmr

 but does not include e-mail address with:

    • admi
    • cafee
    • google
    • help
    • hotm
    • info
    • kasper
    • micro
    • msn
    • panda
    • sopho
    • suppor
    • syma
    • trend
    • use
    • vir
    • webm
    • win
    • yaho

�@

  • Sends email to the spoofed list with respective languages depending on the domain of the recipients address.
  • Email with a random attachment name using one of the following extensions:
    • .com
    • .exe
    • .pif
  • Propagation through peer-to-peer applications
  • Terminates "firewall" & "antivirus" programs
  • Disable several Windows Tools, like, Task Manager, Registry Editor, msconfig, etc.  

Solution

New virus definition is available from anti-virus vendors to detect and remove this virus. If you do not install any anti-virus program, you can download the following removal tools to clean it.

 

Sophos

http://www.sophos.com/support/disinfection/worms.html

 

Symantec
http://securityresponse.symantec.com/avcenter/FxErkezB.exe

Mcafee
http://vil.nai.com/vil/stinger/

F-Secure
ftp://ftp.f-secure.com/anti-virus/tools/f-zafi.exe

Information provided from hkcert.org

 

Latest News
hosting, web hosting, hosting hk, cloud hosting, ssd hosting, SSD 網站寄存, Unix Hosting, Windows Hosting colocation, server colocation, colocation hk, hk datacenter, 伺服器託管, 托管伺服器, 香港數據中心 7x24 ACRONIS Backup Solution, ACRONIS 備份方案, Virtual Private Server MyVPS Malaysia Server, Singapore Server, USA Server, Taiwan Server, Japan Server, China Server ssd email, cloud email, Email Server Rental, Spam Controller, Global SMTP, Smart Email System, Catch SMTP, Offline Email Backup, Secondary MX Record dedicated server, Dell 伺服器租用, Dell Server Rental server maintenance, maintenance service