Virus:Worm/Kafs.A
Date discovered:12/10/2005
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:15.673 Bytes
MD5 checksum:DCE647910FF508DA7B48577C218F6050
VDF version:6.32.00.65

 General Method of propagation:
   • Email


Aliases:
   •  Symantec: W32.Erkez.G@mm
   •  Kaspersky: Email-Worm.Win32.Zafi.g
   •  TrendMicro: WORM_ZAFI.F
   •  Bitdefender: Win32.Zafi.F@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Uses its own Email engine
   • Registry modification


Right after execution the following information is displayed:


 Files It copies itself to the following locations:
   • %SYSDIR%\%random character string%.dll
   • %SYSDIR%\AntiVirus Update.exe



The following files are created:

– Non malicious file:
   • %SYSDIR%\%random character string%.dll

– A file that contains collected email addresses:
   • %SYSDIR%\%random character string%.dll

– Temporary files that might be deleted afterwards:
   • %SYSDIR%\a.wsf
   • %System Root Drive%\m.txt

– %System Root Drive%\z.m This is a non malicious text file that contains information about the program itself.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • %SYSDIR%\AntiVirus Update.exe



The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Zi5]

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
The language in which the email is sent out depends on the Top-Level-Domain.


From:
The sender address is the user's Outlook account.


To:
– Email addresses found in specific files on the system.


Subject:
The subject of the email is constructed out of the following:

    Sometimes it starts with one of the following:
   • FW:
   • RE:

    Continued by one of the following:
   • msn photo ecard
   • commercial ecard :)
   • witzig reklame :))
   • witzig bild :D
   • legszexibb megasztar foto!
   • szavazz ra te is!
   • broma :))
   • humor :))
   • rolig reklam :))
   • haha - rolig :))
   • grappig beeld :))
   • een grappig reclame :D
   • blague :))
   • humour - reclame :))
   • scherzo :))
   • comico quadro :))
   • humor.ru
   • :D


Body:
– Contains HTML code.
The body of the email is the following:

   • ImageFormat: 640x480
     ImageSize: 16Kb
     Message: you need to see this :))
     From: %email account's user name%
     Date: %current date%
     AV-Control: http://%recipient's domain%/%attachment filename without extension%.zip MSN Mail: +++ No Virus
     Filename: %random character string%.jpg [download]

   • BildFormat: 640x480
     Bildabmessung: 16Kb
     Botschaft: eine witzig reklame foto :))
     Absender: %email account's user name%
     Datum: %current date%
     AV-Kontrolle: http://%recipient's domain%/%attachment filename without extension%.zip MSN Mail: +++ No Virus
     Filename: %random character string%.jpg [download]

   • KepFormetum: 640x480
     KepMeret: 16Kb
     Dzenet: itt a kedvenc megaszteros kepem :))
     Feladf=F3: %email account's user name%
     Detum: %current date%
     AV-Ellenfrzes: http://%recipient's domain%/%attachment filename without extension%.zip MSN Mail: +++ No Virus
     Filenev: %random character string%.jpg [download]

   • Cuadro/Medida: 16Kb
     Mensaje: Sexo y humor para pasar un buen rato! :))
     Expedidor: %email account's user name%
     Data: %current date%
     AV-Control: http://%recipient's domain%/%attachment filename without extension%.zip MSN Mail: +++ No Virus
     Filename: %random character string%.jpg [download]

   • Bildform: 640x480
     Bild/Omfattning: 16Kb
     Meddelande: rolig reklam!! :))
     Post: %email account's user name%
     Datum: %current date%
     AV-Control: http://%recipient's domain%/%attachment filename without extension%.zip MSN Mail: +++ No Virus
     Filenamn: %random character string%.jpg [download]

   • Beeldformaat: 640x480
     Beeldmaat: 16Kb
     Boodschap: een ontroerend of grappig reclame :))
     Afzender: %email account's user name%
     Datum: %current date%
     AV-Controle: http://%recipient's domain%/%attachment filename without extension%.zip MSN Mail: +++ No Virus
     Filename: %random character string%.jpg [download]

   • Image/Mode: 640x480
     Image/Taille: 16Kb
     Message: le sexe d'une femme apres l'amour (humour, reclame) :))
     Expediteur: %email account's user name%
     Date: %current date%
     AV-Verification: http://%recipient's domain%/%attachment filename without extension%.zip MSN Mail: +++ No Virus
     Filenom: %random character string%.jpg [download]

   • Quadro/Forma: 640x480
     Quadro/Proporzioni: 16Kb
     Messaggio: comico reclame!! :))
     Mittente: %email account's user name%
     Data: %current date%
     AV-Controllare: http://%recipient's domain%/%attachment filename without extension%.zip MSN Mail: +++ No Virus
     Nomefile: %random character string%.jpg [download]

   • открытка с видом: 640 x 480
     по величине: 16 Kb
     послание: :))
     отправитель: %email account's user name%
     отображение даты: %current date%
     AV-контролер: http://%recipient's domain%/%attachment filename without extension%.zip MSN Mail: +++ No Virus
     имя файла: %random chracter string%.jpg [загружаемый]


Attachment:
The filename of the attachment is constructed out of the following:

–  It starts with one of the following:
   • reklam
   • megasztar
   • humor
   • reklame
   • reclame
   • humor
   • funny
   • commercial
   • msn
   • messenger
   • photo

Sometimes continued by one of the following:
   • reklam
   • megasztar
   • humor
   • reklame
   • reclame
   • humor
   • funny
   • commercial
   • msn
   • messenger
   • photo

    Continued by one of the following:
   • foto%several random digits%
   • imag%several random digits%
   • pict%several random digits%
   • dscn%several random digits%

    The file extension is one of the following:
   • .zip

The attachment is a copy of the created file: %SYSDIR%\%random character string%.dll



The email looks like the following:


 Mailing Search addresses:
It searches the following files for email addresses:
   • dbx; asp; txt; htm; mbx; wab; php; sht; adb; tbb; inb; pmr; fpt; eml


Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • support; google; win; use; info; help; admi; webm; micro; msn; hotmai;
      suppor; soft; www; service; test; linux; subsc; sales; contact@; -faq;
      secur; nod3; trend; bitde; symant; eset; panda; mcafe; sopho; kasper


Prepend MX strings:
In order to get the IP address of the mail server it prepends the following string to the domain name:
   • mx.

 Process termination  Disallow run processes that contain one of the following strings in the filename:
   • reged
   • msconfig
   • task

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • FSG

Description inserted by Andrei Gherman on Wednesday, October 12, 2005
Description updated by Andrei Gherman on Thursday, October 13, 2005

Back . . . .