Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Zafi.B

Other names: W32.Erkez.B

Win32/Zafi.B is a worm spreading via e-mail and P2P networks. It runs on Windows 95 and higher versions. Its size is 12800 bytes compressed by the FSG utility. After its decompression its size is 49 kB.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.

The worm arrives in an e-mail message with randomly selected subject line and body from the pre-defined subject lines and bodies specified in the worm code. The text in the subject line might be for example:

eIngyen SMS!

And the message body:

------------------------ hirdet=E9s -----------------------------

A sikeres 777sms.hu =E9s az axelero.hu t=E1mogat=E1s=E1val =FAjra
indul az ingyenes sms k=FCld=F5 szolg=E1ltat=E1s! Jelenleg ugyan
korl=E1tozott sz=E1mban, napi 20 ingyen smst lehet felhaszn=E1lni.
K=FCldj te is SMST! Neh=E1ny kattint=E1s =E9s a mell=E9kelt regisztr=E1ci=F3s
lap kit=F6lt=E9se ut=E1n azonnal ig=E9nybevehet=F5! B=F5vebb inform=E1ci=F3t
a www.777sms.hu oldalon tal=E1lsz, de siess, mert az els=F5 ezer
felhaszn=E1l=F3 k=F6z=F6tt =E9rt=E9kes nyerem=E9nyeket sorsolunk ki!

------------------------ axelero.hu ---------------------------

Subject line:

eImportante!

Message body:

Informacion importante que debes conocer, -

Subject line:

oKatya

Message body:

ADAOIU
OEIE

Subject line:

eE-Kort!

Message body:

Mit hjerte banker for dig!

Subject line:

eEcard!

Message body:

De cand te-am cunoscut inima mea are un nou ritm!

Subject line:

eE-vykort!

Message body:

Subject line:

eE-Postkort!

Message body:

Vakre roser jeg sammenligner med deg...

Subject line:

eE-postikorti!

Message body:

Iloista kesaa!

Subject line:

eAtviruka!

Message body:

Linksmo gimtadieno!

Subject line:

eE-Kartki!

Message body:

W Dniu imienin...

Subject line:

eCartoe Virtuais!

Message body:

Te amo...

Subject line:

eFlashcard fuer Dich!

Message body:

Hallo!

hat dir eine elektronische Flashcard geschickt.
Um die Flashcard ansehen zu koennen, benutze in deinem Browser
einfach den nun folgenden link:
http://flashcard.de/interaktiv/viewcards/view.php3?card=267BSwr34

Viel Spass beim Lesen wuenscht Ihnen ihr...

Subject line:

eEr staat een eCard voor u klaar!

Message body:

Hallo!

heeft u een eCard gestuurd via de website nederlandse
taal in het basisonderwijs...
U kunt de kaart ophalen door de volgende url aan te klikken of te
kopiren in uw browser link:
http://postkaarten.nl/viewcard.show53.index=04abD1

Met vriendelijke groet,
De redactie taalsite primair onderwijs...

Subject line:

eElektronicka pohlednice!

Message body:

Ahoj!

Elektronick pohlednice ze serveru http://www.seznam.cz

Subject line:

eE-carte!

Message body:

vous a envoye une E-carte partir du site zdnet.fr
Vous la trouverez, l'adresse suivante link:
http://zdnet.fr/showcard.index.php34bs42
www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web
en 5 minutes, du dialogue en direct...

Subject line:

eTi e stata inviata una Cartolina Virtuale!

Message body:

Ciao!

ha visitato il nostro sito, cartolina.it e ha creato una
cartolina virtuale per te! Per vederla devi fare click
sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a
Attenzione, la cartolina sara visibile sui nostri server per
2 giorni e poi verra rimossa automaticamente.

Subject line:

eYou`ve got 1 VoiceMessage!

Message body:

Dear Customer!

You`ve got 1 VoiceMessage from voicemessage.com website!
Sender:
You can listen your Virtual VoiceMessage at the following link:
http://virt.voicemessage.com/index.listen.php2=35affv
or by clicking the attached link.

Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).

Subject line:

eTessek mosolyogni!!!

Message body:

Ha ez a kép sem tud felviditani, akkor feladom!

Sok puszi:

Subject line:

eSoxor Csok!

Message body:

Szia!

Aranyos vagy, jó volt dumcsizni veled a neten!
Remélem tetszem, és szeretném ha te is küldenél képet
magadról, addig is csók:

Subject line:

eDon`t worry, be happy!

Message body:

Hi Honey!

I`m in hurry, but i still love ya...
(as you can see on the picture)

Bye - Bye:

Subject line:

eCheck this out kid!!!

Message body:

Send me back bro, when you`ll be done...(if you know what i mean...)

See ya,

The worm is attached in the attachment of the e-mail message. Upon activation Win32/Zafi.B copies itself into the %system% directory with a random name and the extension .exe. In the same directory it creates the new file with a random name and extension .dll. The worm uses this file as a store for collected e-mail addresses used for further spreading.

The worm changes the following system Registries to ensure starting on the following system start up:

HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftWindows\CurrentVersion\Run

It creates a new key named _Hazafibb.

The worm also creates the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\_Hazafibb

Where it stores its internal information.

The worm searches the hard disk for folders named "share" and "upload" and copies itself into them using one of the following names:

Total Commander 7.0 full_install.exe
winamp 7.0 full_install.exe

The worm searches the disk for the files with the following extensions:

htm
wab
txt
dbx
tbb
asp
php
sht
adb
mbx
eml
pmr

The worm spreads itself to all the e-mail addresses that it finds. It avoids the e-mail addresses that contain the following strings:

win
use
info
help
admi
webm
micro
msn
hotm
suppor
syma
vir
trend
panda
yaho
cafee
sopho
google
kasper

The worm terminates all the process that contain the following strings in their names:

"firewall"
"virus"

The worm also blocks starting of the following utilities:

Regedit
Msconfig
Task

Infected computers send requests to the following web sites:

www.parlament.hu
www.virusbuster.hu
www.virushirado.hu
www.2f.hu

The NOD32 detects Win32/Zofi.B using the Advanced Heuristics. The detection using sample is added since version 1. 783 .

In case you are using an older virus database we strongly advise you to update it from the internet by clicking "Update Now" in the NOD32 Control Center.