Worm/Zafi.D - Worm

See also

Summary

Full description

Statistics

Virus:	Worm/Zafi.D
Date discovered:	14/12/2004
Type:	Worm
In the wild:	Yes
Reported Infections:	Medium
Distribution Potential:	Medium to high
Damage Potential:	Medium
Static file:	Yes
File size:	11.745 Bytes
MD5 checksum:	387ea0a6f410281971b3fc53b7777a40
VDF version:	6.29.00.15 - Tue, 14 Dec 2004 13:42 (GMT+1)

General Method of propagation:
   • Email
   • Peer to Peer

Aliases:
   • Symantec: W32/Zafi.d@MM
   • Mcafee: W32/Zafi.d@MM
   • Kaspersky: Email-Worm.Win32.Zafi.d
   • Sophos: W32/Zafi-D
   • Grisoft: I-Worm/Zafi.D
   • Bitdefender: Win32.Zafi.D@mm

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Right after execution the following information is displayed:

Files It copies itself to the following location:
• %SYSDIR%\Norton Update.exe

The following files are created:

– A file that contains collected email addresses:
• %SYSDIR%\%random%.dll

– C:\s.cm

Registry The following registry key is added in order to run the process after reboot:

– HKLM\Software\Microsoft\Windows\CurrentVersion\Run
   • "Wxp4" = "%SYSDIR%\Norton Update.exe"

The following registry key is added:

– [HKLM\Software\Microsoft\Wxp4]
   • rD=dword:00000101
   • t1="%current username%"
   • t3="%SYSDIR%\Norton Update.exe"
   • t4="%SYSDIR%\%random character string%.dll"
   • lA="%PROGRAM FILES%\MSN\MSNCoreFiles"

Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
The language in which the email is sent out depends on the Top-Level-Domain.

From:
The sender address is spoofed.

To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)
– Generated addresses

Subject:
One of the following:
   • Christmas - Kartki!
   • Christmas Vykort!
   • Christmas Kort!
   • Christmas Postkort!
   • Christmas postikorti!
   • Christmas Atviruka!
   • Weihnachten card.
   • Prettige Kerstdagen!
   • Christmas pohlednice
   • Fw: ecard.ru
   • Fw: Merry Christmas!
   • Merry Christmas!
   • Re: Merry Christmas!
   • Weihnachten card.
   • Joyeux Noel!
   • Buon Natale!

Body:
– Contains HTML code.

Attachment:
The filenames of the attachments is constructed out of the following:

   • kartki
   • link
   • postcard
   • weihnachten
   • vykort
   • postkort
   • postikorti
   • atviruka
   • kerstdagen
   • pohlednice
   • ecarte
   • cartoline
   • navidad

   • christmas
   • card
   • postcard
   • index
   • kartki
   • link
   • postcard
   • weihnachten
   • vykort
   • postkort
   • postikorti
   • atviruka
   • kerstdagen
   • pohlednice
   • ecarte
   • cartoline
   • navidad

    Sometimes continued by one of the following:
   • christmas
   • index

    Continued by one of the following fake extensions:
   • gif%four-digit random character string%
   • jpg%four-digit random character string%
   • php%four-digit random character string%

    The file extension is one of the following:
   • zip
   • cmd
   • bat
   • pif

Here are a few examples of how the filename of the attachment might look like:
   • postcard.christmas.jpg7230.cmd
   • vykort.index.jpg8253.zip
   • weihnachten.christmas.php3720.pif

The attachment is an archive containing a copy of the malware itself.

The email looks like the following:

Mailing Search addresses:
It searches the following files for email addresses:
   • htm; wab; txt; dbx; tbb; asp; php; sht; adb; mbx; eml; pmr; fpt; inb
It uses the same domain list as mentioned above.

The domain is one of the following:
   • .hu; .sp; .ru; .dk; .ro; .se; .no; .fi; .lt; .pl; .pt; .de; .nl; .cz;
      .fr; .it; .mx; .at; .es

Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • yaho; google; win; use; info; help; admi; webm; micro; msn; hotm;
      suppor; syman; viru; trend; secur; panda; cafee; sopho; kasper;

P2P In order to infect other systems in the Peer to Peer network community the following action is performed:

–   It searches for directories that contain one of the following substrings:
   • share
   • upload
   • music

   If successful, the following files are created:
   • winamp 5.7 new!.exe
   • ICQ 2005a new!.exe

   These files are copies of the malware itself.

Process termination Processes with one of the following strings are terminated:
   • firewall
   • virus
   • reged
   • msconfig
   • task

Backdoor The following port is opened:
on TCP port 8181 in order to provide backdoor capabilities.

Miscellaneous Mutex:
It creates the following Mutex:
• Wxp4

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• FSG 2.0

See a brief description here.

Description inserted by Ernest Szocs on Fri, 26 Oct 2007 09:44 (GMT+1)
Description updated by Ernest Szocs on Fri, 26 Oct 2007 12:39 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back