Selected viruses, spyware, and other threats: sorted alphabetically
|
|
||||||||||||||||||||||||||||||||||
Win32/Zafi.D |
Win32/Zafi.D is a worm spreading in e-mail attachments and via P2P networks. Its executable file is 11745 bytes long, it is compressed using FSG.
Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.
The body of the message sent by the worm contains a short Christmas greeting. There are 15 different language versions. A particular version is picked depending on recipient's top level domain.
Examples of the messages:
English
subject: Merry Christmas!
message body: Happy Hollydays!
meno priohy: postcard
Czech
subject: Christmas pohlednice
message body: Veselé Vánoce!
meno priohy: pohlednice
Danish
subject: Christmas Kort!
message body: Glaedelig Jul!
attachment name: ekort
Finnish
subject: Christmas postikorti!
message body: Iloista Joulua!
attachment name: postikorti
French
subject: Joyeux Noel!
message body: Joyeux Noel!
attachment name: ecarte
Dutch
subject: Prettige Kerstdagen!
message body: Prettige Kerstdagen!
attachment name: kerstdagen
Lithuanian
subject: Prettige Kerstdagen!
message body: Naujieji Metai!
attachment name: atviruka
Hungarian
subject: boldog karacsony...
message body: Kellemes unnepeket!
attachment name: karacsony
German
subject: Weihnachten card.
message body: Frohliche Weihnachten
attachment name: weihnachten
Norwegian
subject: Christmas Postkort!
message body: God Jul!
attachment name: postkort
Polish
subject: Christmas - Kartki!
message body: Wesolych Swiat!
attachment name: kartki
Russian
subject: ecard.ru
message body:
attachment name: card
Spanish
subject: Feliz Navidad!
message body: navidad
attachment name: Feliz Navidad!
Swedish
subject: Christmas Vykort!
message body: God Jul!
attachment name: vykort
Italian
subject: Buon Natale!
message body: Buon Natale!
attachment name: cartoline
Random numbers or other string may be appended to the name of the attachment. Extension of the attachment is .cmd, .bat, .pif, .com or .zip. The attachment is either an executable or a ZIP archive.
Upon execution the worm copies itself in the %system% folder using the name "Norton Update.exe". A file with random name and a ".dll" extension is created in the same directory.
If the worm is executed for the first time, a fake error message "Error in packed file!" is displayed. Caption of the window with the message is "CRC: 04F7Bh".
In order to be run on every system start-up, the worm creates a value called "Wxp4" in the following Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftWindows\CurrentVersion\Run
The value contains path to the executable of Win32/Zafi.D
A registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Wxp4 is created. The worm stores various information there.
The worm searches the hard disk for folders named "share", "upload" or "music" and copies itself into them using one of the following names:
winamp 5.7 new!.exe
ICQ 2005a new!.exe
The worm searches the disk for the files with the following extensions:
htm
wab
txt
dbx
tbb
asp
php
sht
adb
mbx
eml
pmr
fpt
inb
The worm spreads itself to all the e-mail addresses that it finds. It avoids the e-mail addresses that contain the following strings:
yahoo
google
win
use
info
help
admi
webm
micro
msn
hotm
suppor
syman
viru
trend
secur
panda
cafee
sopho
kasper
Win32/Zafi.D terminates processes that contain the following strings in their names:
"firewall"
"virus"
The worm also blocks starting of the following utilities:
reged
msconfig
task
NOD32 detected Win32/Zafi.D using the Advanced Heuristics. Detection using a sample is added since version 1.947.
© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.
Visit ESET on Facebook
Follow ESET on Twitter