Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Zafi.B

Overview

Threat Risk MEDIUM MEDIUM
Destructivity LOW LOW
Payload May overwrite certain firewall/antivirus files.
Detection files published 10 Jun 0200 03:00:00
Description created 14 Jun 2004 12:10:00
Description updated 14 Jun 2004 12:10:00
Malware type WORM
Alias W32.Erkez.B
Spreading mechanism EMAIL
OTHER
Summary None

W32/Zafi.B

Spreading

When the attachment is executed, the worm creates the mutex _Hazafibb to avoid beeing loaded twice.
Next it copies itself as %windir%\System32\[random filename].exe and creates the following registry value to ensure that it is started with Windows:
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\_Hazafibb" = "%windir%\System32\[filename].exe"
The worm searches through files with extensions from WordList1 to find email addresses, and stores
them in several randomly named dll's in %windir%\System\
Zafi.B fetches the users name, email address and smtp server from HKCU\Software\Microsoft\Internet Account Manager" and
stores this data in "HKLM\Software\Microsoft\_Hazafibb" along with references to all the previously created dll-files.
Next, it opens a webpage with an address taken randomly from "HKCU\Software\Microsoft\Internet Explorer\TypedURLs"
The worm searches through the drives for directories containing the strings "share" and "upload".
When found, the files in WordList2 are copied to the directories in order to spread through P2P programs.
Zafi.B blocks access to any file containg the strings "regedit", "msconfig" and "task" to make detection and removal harder.
The worm will spread through mail using the SMTP server found in Internet Account Manager.
The SMTP server address may also be constructed using words from WordList3.
Zafi.B will send it self to harvested addresses. The content of the mail depends on the recipients address in order to send mails in the recipients own language.
See Wordlist5 for a complete list of possible mails.
Avoids sending itselves to addresses containting strings from WordList4
Note! The From: field in mails sent by Zafi.B may not be the real sender.
[Wordlist1]
htm
wab
txt
dbx
tbb
asp
php
sht
adb
mbx
eml
pmr
[WordList2]
Total Commander 7.0 full_install.exe
winamp 7.0 full_install.exe
[WordList3]
mail.
smtp.
mail01.
mailb.
mail2.
smtp2.
mx.
mx0.
mx1.
mxs.
relay.
relay1.
gate.
freemail.hu
fmx4.
fmx3.
fmx1.
matav-1.
fmx.
gold.
fmx5.
matav-2.
Mmail0.
primposta.com
domser.
fmx2.
suli2.
matav-4.
www.
gemini.
goliat2.
webmail.
postman.
huasmtp01.
t-online.de
mailin02.sul.
mail4u.
Mmx-ha01.web.de
Mmx2.mail.spray.net
freemail.nl
box-06.
box-05.
smtp01.
smtp03.
pop.
Mmx.is.nl
seznam.cz
mx1.
mx2.
new.
data2.
Memail2.atc.cz
wanadoo.fr
newken.
mrelay1-2,
blackhole.
freemail.it
Mmail.superava.it
mail-mx-3.
mxrm.
mbox.
pweb.
telia.com
mail-kr3.
mail-kr4.
mailserver.
mx-a.mail.
mailin-01.mx.
mail.ru
mxs.
cscmail.
Mrelay2.aport.ru

[WordList4]
msn
office
nero
icq
game
winra
winzi
divx
movie
total
wina
win
use
info
help
admi
webm
micro
msn
hotm
suppor
syma
vir
trend
panda
yaho
cafee
sopho
google
kasper
[WordList5]
From: Anita
Subject: eIngyen SMS!
Attachment: regiszt.php?3124freesms.index777.pif
Body:
------------------------ hirdet=E9s -----------------------------
A sikeres 777sms.hu =E9s az axelero.hu t=E1mogat=E1s=E1val =FAjra
 indul az ingyenes sms k=FCld=F5 szolg=E1ltat=E1s! Jelenleg ugyan
korl=E1tozott sz=E1mban, napi 20 ingyen smst lehet felhaszn=E1lni.
K=FCldj te is SMST! Neh=E1ny kattint=E1s =E9s a mell=E9keltregisztr=E1ci=F3s
lap kit=F6lt=E9se ut=E1n azonnal ig=E9nybevehet=F5! B=F5vebb inform=E1ci=F3t
a [address] oldalon tal=E1lsz, de siess, mert az els=F5ezer
felhaszn=E1l=F3 k=F6z=F6tt =E9rt=E9kes nyerem=E9nyeket sorsolunk ki!
------------------------ axelero.hu ---------------------------
From: Claudia
Subject: eImportante!
Attachment: link.informacion.phpV23.text.message.pif
Body:
Informacion importante que debes conocer
view.link.index.image.phpV23.sexHdg21.pif
From: Eva
Subject: eE-Kort!
Attachment: link.ekort.index.phpV7ab4.kort.pif
Body:
Mit hjerte banker for dig!
From: Marica
Subject: eEcard!
Attachment: link.ekort.index.phpV7ab4.kort.pif
De cand te-am cunoscut inima mea are un nou ritm!
From: Anna
Subject: eE-vykort!
Attachment: link.vykort.showcard.index.phpBn23.pif
Body:
Till min Alskade...
From: Erica
Subject: eE-Postkort!
Attachment: link.postkort.showcard.index.phpAe67.pif
Vakre roser jeg sammenligner med deg...
From: Katarina
Subject: eE-postikorti!
Attachment: link.postikorti.showcard.index.phpGz42.pif
Body:
Iloista kesaa!
From: Magdolina
Subject: eAtviruka!
Attachment: link.atviruka.showcard.index.phpGz42.pif
Body:
Linksmo gimtadieno!
From: Beate
eE-Kartki!
Attachment: link.kartki.showcard.index.phpVg42.pif
Body:
W Dniu imienin...
From: Eva
Subject: eCartoe Virtuais!
Attachment: link.cartoe.viewcard.index.phpYj39.pif
Body:
Te amo...
From: Alice
Subject: eFlashcard fuer Dich!
Attachment: link.flashcard.de.viewcard34.php.2672aB.pif
Body:
Hallo!
hat dir eine elektronische Flashcard geschickt.
Um die Flashcard ansehen zu koennen, benutze in deinem Browser
einfach den nun folgenden link:
[address]
Swr34
Viel Spass beim Lesen wuenscht Ihnen ihr...
From: Eva
Subject: eEr staat een eCard voor u klaar!
Attachment: postkaarten.nl.link.viewcard.index.phpG4a62.pif
Body:
Hallo!
heeft u een eCard gestuurd via de website nederlandsetaal in het basisonderwijs...
U kunt de kaart ophalen door de volgende url aan te klikken of te
kopiren in uw browser link:
[address]
Met vriendelijke groet,De redactie taalsite primair onderwijs...
From: Hanka
Subject: eElektronicka pohlednice!
Attachment: link.seznam.cz.pohlednice.index.php2Avf3.pif
Body:
Ahoj!
Elektronick pohlednice ze serveru [address]
From: Claudine
Subject: eE-carte!
Attachment: link.zdnet.fr.ecarte.index.php34b31.pif
Body:
vous a envoye une E-carte partir du site zdnet.fr
Vous la trouverez, l',27h,'adresse suivante link:
[address]
www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages weben 5 minutes, du dialogue en direct...
From: Francesca
Subject: eTi e stata inviata una Cartolina Virtuale!
Attachment: link.cartoline.it.viewcard.index.4g345a.pif
Body:
Ciao!
ha visitato il nostro sito, cartolina.it e ha creato una
cartolina virtuale per te! Per vederla devi fare click
sul link sottostante: [address]
Attenzione, la cartolina sara visibile sui nostri server per2 giorni e poi verra rimossa automaticamente.
From: Jennifer
Subject: You`ve got 1 VoiceMessage!
Attachment: link.voicemessage.com.listen.index.php1Ab2c.pif
Body:
Dear Customer!
You`ve got 1 VoiceMessage from voicemessage.com website!
Sender:
You can listen your Virtual VoiceMessage at the following link:
[address]
or by clicking the attached link.
Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).
From: Anita
Subject: eTessek mosolyogni!!!
Attachment: meztelen csajok fociznak.flash.jpg.pif
Body:
Ha ez a k=E9p sem tud felviditani, akkor feladom!
Sok puszi:
From: Anita
Subject: eSoxor Csok!
Attachment: anita.image043.jpg.pif
Body:
Szia!
Aranyos vagy, j=F3 volt dumcsizni veled a neten!
Rem=E9lem tetszem, =E9s szeretn=E9m ha te is k=FClden=E9l k=E9pet
magadr=F3l, addig is cs=F3k:
From: Jennifer
Subject: eDon`t worry, be happy!
Attachment: www.ecard.com.funny.picture.index.nude.php356.pif
Body:
Hi Honey!
I`m in hurry, but i still love ya...
(as you can see on the picture)
Bye - Bye:
From: David
Subject: eCheck this out kid!!!
Attachment: jennifer the wild girl xxx07.jpg.pif
Body:
Send me back bro, when you`ll be done...(if you know what i mean...)
See ya,

Payload Details

The worm will perform a DoS attack on the following websites:
www.parlament.hu
www.virusbuster.hu
www.virushirado.hu
www.2f.hu

Zafi.B may try to overwrite certain firewall and antivirus files, but Lumensions software does not seem to be affected.

Analysis

n/a

Removal

The worm was proactively detected by Lumension Sandbox technology..


Last Updated: 12 Nov 2015 11:06:11