|
|
I-Worm.Zafi. Viruses Information
| Name: |
I-Worm.Zafi. |
| Category: |
Viruses |
| Description:
|
Details
I-Worm.Zafi.b
This worm spreads via the Internet as an attachment to infected messages, and also via local and file-sharing networks.
It is written in Assembler, and packed using FSG. It is 12800 bytes in packed form, and 33292 in unpacked form.
Installation
Once launched, the worm copies its file to the Windows system directory. The name of the file is randomly generated.
The worm registers this file as an entry in the system registry to be run every time the system is started:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"_Hazafibb"="%system%[file name]"
The worm creates the mutex _Hazafibb to flag its presence in the system.
This is to prevent multiple copies of the worm being run at the same time
It stops the following processes and deletes the files from disk:
fvprotect.exe
winlogon.exe
jammer2nd.exe
services.exe
Propagation via email
The worm harvests email addresses from files with the following extensions:
htm
wab
txt
dbx
tbb
asp
php
sht
adb
mbx
eml
pmr
It does not send messages to addresses which contain text from the list below:
win
use
info
help
admi
webm
micro
msn
hotm
suppor
syma
vir
trend
panda
yaho
cafee
sopho
google
kasper
There is a range of text used in infected messages. The text is chosen according to the recipient's domain name.
Domain .hu
Sender:
Anita
Message header:
Ingyen SMS!
Message body:
------------------------ hirdetÝs -----------------------------
A sikeres 777sms.hu Ýs az axelero.hu tÓmogatÓsÓval �jra
indul az ingyenes sms k?ld? szolgÓltatÓs! Jelenleg ugyan
korlÓtozott szÓmban, napi 20 ingyen smst lehet felhasznÓlni.
K?ldj te is SMST! NehÓny kattintÓs Ýs a mellÝkelt regisztrÓci?s
lap kit?ltÝse utÓn azonnal igÝnybevehet?! B?vebb informÓci?t
a www.777sms.hu oldalon talÓlsz, de siess, mert az els? ezer
felhasznÓl? k?z?tt ÝrtÝkes nyeremÝnyeket sorsolunk ki!
------------------------ axelero.hu ---------------------------
Attachment name:
regiszt.php?3124freesms.index777.pif
Domain .sp
Sender:
Claudia
Message header:
Importante!
Message body:
Informacion importante que debes conocer, -
Attachment name:
link.informacion.phpV23.text.message.pif
Domain .ru
Sender:
Katya
Message header:
Katya
Message body:
DAúADAOIUå OEIEøIEãU, ÐÉÓÁ_ÝÉÅ ÄÅ×ÕoËÉ, ÁÎÁÌØÎÁÑ ÍÁÓÔÕdÂÁÃÉÑ,
dÕËÁ × ÁÎÕÓÅ É ×ÓÅ ÉÚ×ÅÓÔÎÙÅ ÐÏÌÏ×ÙÅ ÉÚ×dÁÝÅÎÉÑ.
IÉÓÁ_ÝÉÅ ÄÅ×ÕoËÉ dÁÚ×dÁÔÎÙÅ oËÏÌØÎÉÃÙall
Attachment name:
view.link.index.image.phpV23.sexHdg21.pif
Domain .dk
Sender:
Eva
Message header:
E-Kort!
Message body:
Mit hjerte banker for dig!
Attachment name:
link.ekort.index.phpV7ab4.kort.pif
Domain .ro
Sender:
Marica
Message header:
Ecard!
Message body:
De cand te-am cunoscut inima mea are un nou ritm!
Attachment name:
link.showcard.index.phpAv23.ritm.pif
Domain .se
Sender:
Anna
Message header:
E-vykort!
Message body:
Till min Alskade...
Attachment name:
link.vykort.showcard.index.phpBn23.pif
Domain .no
Sender:
Erica
Message header:
E-Postkort!
Message body:
Vakre roser jeg sammenligner med deg...
Attachment name:
link.postkort.showcard.index.phpAe67.pif
Domain .fi
Sender:
Katarina
Message header:
E-postikorti!
Message body:
Iloista kesaa!
Attachment name:
link.postikorti.showcard.index.phpGz42.pif
Domain .lt
Sender:
Magdolina
Message header:
Atviruka!
Message body:
Linksmo gimtadieno!
Attachment name:
link.atviruka.showcard.index.phpGz42.pif
Domain .pl
Sender:
Beate
Message header:
E-Kartki!
Message body:
W Dniu imienin...
Attachment name:
link.kartki.showcard.index.phpVg42.pif
Domain .pt
Sender:
Eva
Message header:
Cartoe Virtuais!
Message body:
Te amo...
Attachment name:
link.cartoe.viewcard.index.phpYj39.pif
Domain .de
Sender:
Alice
Message header:
Flashcard fuer Dich!
Message body:
Hallo!
hat dir eine elektronische Flashcard geschickt.
Um die Flashcard ansehen zu koennen, benutze in deinem Browser
einfach den nun folgenden link:
http://flashcard.de/interaktiv/viewcards/view.php3?card=267BSwr34
Viel Spass beim Lesen wuenscht Ihnen ihr...
Attachment name:
link.flashcard.de.viewcard34.php.2672aB.pif
Domain .nl
Sender:
Eva
Message header:
Er staat een eCard voor u klaar!
Message body:
Hallo!
heeft u een eCard gestuurd via de website nederlandse
taal in het basisonderwijs...
U kunt de kaart ophalen door de volgende url aan te klikken of te
kopiren in uw browser link:
http://postkaarten.nl/viewcard.show53.index=04abD1
Met vriendelijke groet,
De redactie taalsite primair onderwijs...
Attachment name:
postkaarten.nl.link.viewcard.index.phpG4a62.pif
Domain .cz
Sender:
Hanka
Message header:
Elektronicka pohlednice!
Message body:
Ahoj!
Elektronick pohlednice ze serveru http://www.seznam.cz
Attachment name:
link.seznam.cz.pohlednice.index.php2Avf3.pif
Domain .fr
Sender:
Claudine
Message header:
E-carte!
Message body:
vous a envoye une E-carte partir du site zdnet.fr
Vous la trouverez, l'adresse suivante link:
http://zdnet.fr/showcard.index.php34bs42
www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web
en 5 minutes, du dialogue en direct...
Attachment name:
link.zdnet.fr.ecarte.index.php34b31.pif
Domain .it
Sender:
Francesca
Message header:
Ti e stata inviata una Cartolina Virtuale!
Message body:
Ciao!
ha visitato il nostro sito, cartolina.it e ha creato una
cartolina virtuale per te! Per vederla devi fare click
sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a
Attenzione, la cartolina sara visibile sui nostri server per
2 giorni e poi verra rimossa automaticamente.
Attachment name:
link.cartoline.it.viewcard.index.4g345a.pif
Domain .mx
1.
Sender:
Jennifer
Message header:
You`ve got 1 VoiceMessage!
Message body:
Dear Customer!
You`ve got 1 VoiceMessage from voicemessage.com website!
Sender:
You can listen your Virtual VoiceMessage at the following link:
http://virt.voicemessage.com/index.listen.php2=35affv
or by clicking the attached link.
Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).
Attachment name:
link.voicemessage.com.listen.index.php1Ab2c.pif
2.
Sender:
Anita
Message header:
Soxor Csok!
Message body:
Szia!
Aranyos vagy, j? volt dumcsizni veled a neten!
RemÝlem tetszem, Ýs szeretnÝm ha te is k?ldenÝl kÝpet
magadr?l, addig is cs?k:
Attachment name:
anita.image043.jpg.pif
Domain .at
1.
Sender:
Anita
Message header:
Tessek mosolyogni!!!
Message body:
Ha ez a kÝp sem tud felviditani, akkor feladom!
Sok puszi:
Attachment name:
meztelen csajok fociznak.flash.jpg.pif
2.
Sender:
Jennifer
Message header:
Don`t worry, be happy!
Message body:
Hi Honey!
I`m in hurry, but i still love ya...
(as you can see on the picture)
Bye - Bye:
Attachment name:
www.ecard.com.funny.picture.index.nude.php356.pif
For all other domains, the message will be as follows:
Sender:
David
Message header:
Check this out kid!!!
Message body:
Send me back bro, when you`ll be done...(if you know what i mean...)
See ya,
Attachment name:
jennifer the wild girl xxx07.jpg.pif
Propagation via local and file-sharing networks
The worm copies itself to all folders where the folder name contains the words:
share
upload
The name of the worm file will be chosen from the following list:
winamp 7.0 full_install.exe
Total Commander 7.0 full_install.exe
Other
It creates the file sys.txt in the root catalogue of the C: disk.
It attempts to detect antivirus program files on the computer and overwrite them with a copy of itself.
It also attempts to conduct DoS attacks on the following sites:
www.2f.hu
www.parlament.hu
www.virusbuster.hu
www.virushirado.hu |
Top Viruses Visited Pages:
Invader. - 231 visits
not-a-virus:RiskWare.Tool.RegPatch. - 69 visits
Worm.P2P.Harex. - 63 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 55 visits
Small.58. - 55 visits
Coito.64 - 53 visits
I-Worm.Mapson. - 45 visits
Win32.Hidra - 41 visits
Win16.Klon.1177 - 40 visits
Marine.500 - 34 visits
Random Viruses Pages:
Atenfor.251
Marine.500
V.100
Eupm.173
Magick.41
Flu.116
Shadow Famil
Patsy.57
Locust Famil
Body.88
|
|
