high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | February 2005 (3.90) |
| Protection available since | 14 December 2004 11:56:00 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/Zafi-D
More Information
W32/Zafi-D is a mass mailing worm and peer-to-peer worm.
W32/Zafi-D copies itself to the Windows system folder with the filename Norton Update.exe.
W32/Zafi-D creates a number of files in the Windows system folder with filenames consisting of 8 random characters and a DLL extension. Some of these are exact or zipped copies of the worm, detected as W32/Zafi-D, while others are log files created by the worm.
W32/Zafi-D harvests email addresses from the Windows Address Book and from files found on the hard drive.
W32/Zafi-D copies itself to folders with names containing share, upload, or music as ICQ 2005a new!.exe or winamp 5.7 new!.exe.
W32/Zafi-D displays an fake error message box with the caption "CRC: 04F6Bh" and the text "Error in packed file!".
 |
| A typical message sent by the W32/Zafi-D worm |
W32/Zafi-D copies itself to the Windows system folder with the filename Norton Update.exe and creates the following entry in the registry so as to run itself when a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Wxp4
W32/Zafi-D creates a number of files in the Windows system folder with filenames consisting of 8 random characters and a DLL extension. Some of these are exact or zipped copies of the worm, detected as W32/Zafi-D, while others are log files created by the worm.
W32/Zafi-D attempts to terminate processes related to files found in folders that have names containing the following strings:
syman, viru, trend, secur, panda, cafee, sopho, kasper
W32/Zafi-D attempts to open files containing the following strings and keep them open so as to make them inaccessible to the user:
reged, msconfig, task
W32/Zafi-D copies itself to folders containing one of the following strings:
share, upload, music
W32/Zafi-D copies itself to these folders with one of the following filenames:
ICQ 2005a new!.exe
winamp 5.7 new!.exe
W32/Zafi-D harvests email addresses from the Windows Address Book and from files it finds with the extensions HTM, WAB, TXT, DBX, TBB, ASP, PHP, SHT, ADB, MBX, EML, PMR, FPT or INB.
W32/Zafi-D may copy the file from which it is harvesting addresses to C:\S.CM.
W32/Zafi-D does not harvest addresses that contain the following words:
yaho, google, win, use, info, help, admi, webm, micro, msn, hotm, suppor, syman, viru, trend, secur, panda, cafee, sopho, kasper
W32/Zafi-D does not harvest addresses that contain 16 or more digits.
W32/Zafi-D may generate random addresses using harvested domain names.
W32/Zafi-D produces emails with the following characteristics depending on the nationality of the recipient, which it gathers from the region-specific top-level domain (e.g. .uk, .de, .fr, .nl etc.)
|
| A typical message sent by the W32/Zafi-D worm |
From line: This is either a name gathered from the host email setup or one of the following:
Pamela M.
T. Antonio
J. Martin
V. Dusan
R. Cornel
H. Irene
S. Ewa
C. Lina
M. Virtanen
M. Emma
J. Andersson
V. Jensen
V. Tatyana
N. Fernandez
T. Maria
Subject line: This can start either "Re:", "Fw:" or with nothing, continuing with one of the following:
Merry Christmas!
Buon Natale!
Joyeux Noel!
Christmas pohlednice
Prettige Kerstdagen!
Weihnachen card.
Christmas - Kertki!
Christmas - Atviruka!
Christmas postikorti!
Christmas Postkort!
Christmas Vykort!
Christmas Kort!
ecard.ru
Feliz Navidad!
boldog karacsony...
Message body: This is in plain text and html format. Both consist either of two words or spaces, followed by a smiley and the sender name from the subject line. In the html the words or spaces are separated by "...." strings and an lewd animated GIF file of two smileys and the line starts and ends in asterisks. The html text ends in a string containing a domain name followed by the text "Picture Size: 11 KB, Mail +OK".
The words used in the text are from the following, or using non-Roman characters:
Happy Hollydays!
Buon Natale!
Joyeux Noel!
Prettige Kerstdagen!
Frohliche Wiehnachten!
Wesolych Swiat!
Naujieji Metai!
Iloista Joulua!
God Jul!
Glaedelig Jul!
Feliz Navidad
Kellemes Unnepeket!
Attached filename: This starts "link." or nothing, followed by one name from the following list:
postcard.
cartoline.
ecarte.
phlednice.
kerstdagen.
weihnachten.
kartki.
atviruka.
postikorti.
postkort.
vykort.
ekort.
card.
navidad.
karacsony.
This is then followed by "christmas." or nothing, then by "index." or nothing.
The attachment then has one of the following fake extensions followed by 4 random digits:
.php
.htm
.jpg
.gif
The attachment has one of the following actual extensions:
.cmd
.bat
.pif
.com
.zip
If the attachment is a ZIP file then the worm inside it has a filename of one of the following:
postcard.
wishcard.
xmascard.
giftcard.
This is followed by either "id" or "php", four random digits and one of the following extensions:
.cmd
.bat
.pif
.com
For example, the attached file may be a zip file named atviruka.christmas.index.jpg6245.zip containing a copy of the virus named wishcard.id8302.cmd
W32/Zafi-D creates entries in the registry, some related to file it drops and some related to system information. The entries are all at HKLM\Software\Microsoft\Wxp4\ with some of the following values:
t1, t2, t3, t4, t5, t6, t7, t8, t9, tA, tB, tC, tD, tE, tZ, rB, rC,
mA, mB, mC, ... , mX, mY, mZ
lA, lB, lC, ... , lX, lY, lZ
W32/Zafi-D displays an fake error message box with the caption "CRC: 04F6Bh"
and the text "Error in packed file!".
|
