Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Zafi.D

Win32/Zafi.D is a worm spreading in e-mail attachments and via P2P networks. Its executable file is 11745 bytes long, it is compressed using FSG.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.

The body of the message sent by the worm contains a short Christmas greeting. There are 15 different language versions. A particular version is picked depending on recipient's top level domain.

Examples of the messages:

English
subject: Merry Christmas!
message body: Happy Hollydays!
meno priohy: postcard

Czech
subject: Christmas pohlednice
message body: Veselé Vánoce!
meno priohy: pohlednice

Danish
subject: Christmas Kort!
message body: Glaedelig Jul!
attachment name: ekort

Finnish
subject: Christmas postikorti!
message body: Iloista Joulua!
attachment name: postikorti

French
subject: Joyeux Noel!
message body: Joyeux Noel!
attachment name: ecarte

Dutch
subject: Prettige Kerstdagen!
message body: Prettige Kerstdagen!
attachment name: kerstdagen

Lithuanian
subject: Prettige Kerstdagen!
message body: Naujieji Metai!
attachment name: atviruka

Hungarian
subject: boldog karacsony...
message body: Kellemes unnepeket!
attachment name: karacsony

German
subject: Weihnachten card.
message body: Frohliche Weihnachten
attachment name: weihnachten

Norwegian
subject: Christmas Postkort!
message body: God Jul!
attachment name: postkort

Polish
subject: Christmas - Kartki!
message body: Wesolych Swiat!
attachment name: kartki

Russian
subject: ecard.ru
message body:
attachment name: card

Spanish
subject: Feliz Navidad!
message body: navidad
attachment name: Feliz Navidad!
Swedish
subject: Christmas Vykort!
message body: God Jul!
attachment name: vykort

Italian
subject: Buon Natale!
message body: Buon Natale!
attachment name: cartoline

Random numbers or other string may be appended to the name of the attachment. Extension of the attachment is .cmd, .bat, .pif, .com or .zip. The attachment is either an executable or a ZIP archive.
Upon execution the worm copies itself in the %system% folder using the name "Norton Update.exe". A file with random name and a ".dll" extension is created in the same directory.
If the worm is executed for the first time, a fake error message "Error in packed file!" is displayed. Caption of the window with the message is "CRC: 04F7Bh".

In order to be run on every system start-up, the worm creates a value called "Wxp4" in the following Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftWindows\CurrentVersion\Run
The value contains path to the executable of Win32/Zafi.D

A registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Wxp4 is created. The worm stores various information there.

The worm searches the hard disk for folders named "share", "upload" or "music" and copies itself into them using one of the following names:

winamp 5.7 new!.exe
ICQ 2005a new!.exe

The worm searches the disk for the files with the following extensions:

htm
wab
txt
dbx
tbb
asp
php
sht
adb
mbx
eml
pmr
fpt
inb

The worm spreads itself to all the e-mail addresses that it finds. It avoids the e-mail addresses that contain the following strings:

yahoo
google
win
use
info
help
admi
webm
micro
msn
hotm
suppor
syman
viru
trend
secur
panda
cafee
sopho
kasper

Win32/Zafi.D terminates processes that contain the following strings in their names:

"firewall"
"virus"

The worm also blocks starting of the following utilities:

reged
msconfig
task

NOD32 detected Win32/Zafi.D using the Advanced Heuristics. Detection using a sample is added since version 1.947.