Win32/Zafi.B (Other names: W32.Erkez.B) is a worm spreading via e-mail and P2P networks. It runs on Windows 95 and higher versions. Its size is 12800 bytes compressed by the FSG utility. After its decompression its size is 49 kB.
Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%
The worm arrives in an e-mail message with randomly selected subject line and body from the pre-defined subject lines and bodies specified in the worm code. The text in the subject line might be for example;
eIngyen SMS!
And the message body:
------------------------ hirdet=E9s -----------------------------
A sikeres 777sms.hu =E9s az axelero.hu t=E1mogat=E1s=E1val =FAjra
indul az ingyenes sms k=FCld=F5 szolg=E1ltat=E1s! Jelenleg ugyan
korl=E1tozott sz=E1mban, napi 20 ingyen smst lehet felhaszn=E1lni.
K=FCldj te is SMST! Neh=E1ny kattint=E1s =E9s a mell=E9kelt regisztr=E1ci=F3s
lap kit=F6lt=E9se ut=E1n azonnal ig=E9nybevehet=F5! B=F5vebb inform=E1ci=F3t
a www.777sms.hu oldalon tal=E1lsz, de siess, mert az els=F5 ezer
felhaszn=E1l=F3 k=F6z=F6tt =E9rt=E9kes nyerem=E9nyeket sorsolunk ki!
------------------------ axelero.hu ---------------------------
The worm is attached in the attachment of the e-mail message.
EFFECTS OF WIN32 ZAFI.B EMAIL WORM
Upon activation Win32/Zafi.B copies itself into the %system% directory with a random name and the extension .exe. In the same directory it creates the new file with a random name and extension .dll. The worm uses this file as a store for collected e-mail addresses used for further spreading.
The worm changes the following system Registries to ensure starting on the following system start up:
HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftWindows\CurrentVersion\Run
The worm also creates the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\_Hazafibb
Where it stores its internal information.
The worm searches the hard disk for folders named "share" and "upload" and copies itself into them using one of the following names:
Total Commander 7.0 full_install.exe
winamp 7.0 full_install.exe
The worm searches the disk for the files with the following extensions:
htm,wab,txt,dbx,tbb,asp,php,sht,adb,mbx,eml,pmr
The worm spreads itself to all the e-mail addresses that it finds. It avoids the e-mail addresses that contain the following strings:
win,use,info,help,admi,webm,micro,msn,hotm,suppor,syma,vir,trend,panda,yaho,cafee,sopho,google,kasper
The worm terminates all the process that contain the following strings in their names:
"firewall" and "virus"
The worm also blocks starting of the following utilities:
Regedit,MsConfig,Task
Infected computers send requests to the following web sites:
www.parlament.hu
www.virusbuster.hu
www.virushirado.hu
www.2f.hu
HOW TO REMOVE WIN32 ZAFI.B EMAIL WORM
The NOD32 detects Win32/Zofi.B using the Advanced Heuristics.
Download ESET NOD32 Antivirus.
Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%
The worm arrives in an e-mail message with randomly selected subject line and body from the pre-defined subject lines and bodies specified in the worm code. The text in the subject line might be for example;
eIngyen SMS!
And the message body:
------------------------ hirdet=E9s -----------------------------
A sikeres 777sms.hu =E9s az axelero.hu t=E1mogat=E1s=E1val =FAjra
indul az ingyenes sms k=FCld=F5 szolg=E1ltat=E1s! Jelenleg ugyan
korl=E1tozott sz=E1mban, napi 20 ingyen smst lehet felhaszn=E1lni.
K=FCldj te is SMST! Neh=E1ny kattint=E1s =E9s a mell=E9kelt regisztr=E1ci=F3s
lap kit=F6lt=E9se ut=E1n azonnal ig=E9nybevehet=F5! B=F5vebb inform=E1ci=F3t
a www.777sms.hu oldalon tal=E1lsz, de siess, mert az els=F5 ezer
felhaszn=E1l=F3 k=F6z=F6tt =E9rt=E9kes nyerem=E9nyeket sorsolunk ki!
------------------------ axelero.hu ---------------------------
The worm is attached in the attachment of the e-mail message.
EFFECTS OF WIN32 ZAFI.B EMAIL WORM
Upon activation Win32/Zafi.B copies itself into the %system% directory with a random name and the extension .exe. In the same directory it creates the new file with a random name and extension .dll. The worm uses this file as a store for collected e-mail addresses used for further spreading.
The worm changes the following system Registries to ensure starting on the following system start up:
HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftWindows\CurrentVersion\Run
The worm also creates the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\_Hazafibb
Where it stores its internal information.
The worm searches the hard disk for folders named "share" and "upload" and copies itself into them using one of the following names:
Total Commander 7.0 full_install.exe
winamp 7.0 full_install.exe
The worm searches the disk for the files with the following extensions:
htm,wab,txt,dbx,tbb,asp,php,sht,adb,mbx,eml,pmr
The worm spreads itself to all the e-mail addresses that it finds. It avoids the e-mail addresses that contain the following strings:
win,use,info,help,admi,webm,micro,msn,hotm,suppor,syma,vir,trend,panda,yaho,cafee,sopho,google,kasper
The worm terminates all the process that contain the following strings in their names:
"firewall" and "virus"
The worm also blocks starting of the following utilities:
Regedit,MsConfig,Task
Infected computers send requests to the following web sites:
www.parlament.hu
www.virusbuster.hu
www.virushirado.hu
www.2f.hu
HOW TO REMOVE WIN32 ZAFI.B EMAIL WORM
The NOD32 detects Win32/Zofi.B using the Advanced Heuristics.
Download ESET NOD32 Antivirus.
No comments:
Post a Comment