Virus Profile: W32/Zafi.b@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 6/11/2004
Date Added: 6/11/2004
Origin: Unknown
Length: 12,800 bytes
Type: Virus
Subtype: Email
DAT Required: 4366
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Installation

When executed, the worm copies itself twice to the %windir%\system32 folder using a random name and .EXE and .DLL extension.

Example:
  C:\WINNT\system32\jrbtgmqi.exe
  C:\WINNT\system32\enfrbatm.dll

It creates a registry key, so the file gets executed every time the machine starts:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "_Hazafibb" = %windir%\System32\jrbtgmqi.exe

Other symptoms include:

  • Security software fails to work
  • Network traffic 
  • System slowdown

Methods of Infection

This worm does not use any exploit code in order to execute the mail attachment automatically. A user has to doubleclick on an infected attachment or a file shared via P2P to infect the machine.

For machines where the worm has overwritten binaries associated with AV or firewall software, it would be very easy for a user to mistakenly execute the worm.

Aliases

I-Worm.Zafi.b (Kaspersky), PE_ZAFI.B (Trend), W32.Erkez.B@mm (Symantec), Win32.Hazafi.30720 (Dialogue Science)
   

Virus Characteristics

-- Update August 16th, 2004 --
The risk assessment of this threat has been lowered to Low-Profiled due to decreased prevalence.
--

-- Update June 14th, 2004 03:01 PST --
The risk assessment of this threat has been raised to Medium due to increased prevalence.

If you think that you may be infected with this threat, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

--

-- Update June 14, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://times.hankooki.com/lpage/tech/200406/kt2004061320092511800.htm

This is a mass-mailing worm that constructs messages using its own SMTP engine and spoofing the From: address.  It also attempts to propagate via P2P, via copying itself to folders on the local system (containing 'share' or 'upload' in the folder name).

Mail Propagation

The worm constructs messages using its own SMTP engine, spoofing the From: address.

The worm searches for email addresses on the local hard disk, harvesting addresses from files with the following extensions:

  • htm
  • wab
  • txt
  • dbx
  • tbb
  • asp
  • php
  • sht
  • adb
  • mbx
  • eml
  • pmr

Harvested addresses are stored in five files in the system32 folder using random names and the file extension .DLL

Example:
  C:\WINNT\system32\kenbdplk.dll
  C:\WINNT\system32\zibscdes.dll
  C:\WINNT\system32\qfafsxoz.dll
  C:\WINNT\system32\zhzukrhp.dll
  C:\WINNT\system32\sdxsuwxt.dll

References to these files are stored within the following key, which is also created by the worm:

  •   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\_Hazafibb

The worm avoids sending itself to certain email addresses, those containing any of the following strings:

  • admi
  • cafee
  • google
  • help
  • hotm
  • info
  • kasper
  • micro
  • msn
  • panda
  • sopho
  • suppor
  • syma
  • trend
  • use
  • vir
  • webm
  • win
  • yaho

The worm sends itself out in different languages depending on the Top Level Doamin (TLD) of the recipients address. For example, a user with a .COM Mail address, will receive the English mail body, while someone with an .DE Mail address will receive the German body.

Below are some of the formats. The email "From" email address is spoofed. The mail server to use is concatenated using various strings in the virus body. (Eg: fmx1.domain.hu). 

To: anita 
Subject: Ingyen SMS!
Attachment: "regiszt.php?3124freesms.index777.pif"
Body:
------------------------ hirdet=E9s ----------------------------- A sikeres 777sms.hu =E9s az axelero.hu t=E1mogat=E1s=E1val =FAjra indul az ingyenes sms k=FCld=F5 szolg=E1ltat=E1s! Jelenleg ugyan korl=E1tozott sz=E1mban, napi 20 ingyen smst lehet felhaszn=E1lni. K=FCldj te is SMST! Neh=E1ny kattint=E1s =E9s a mell=E9kelt regisztr=E1ci=F3s lap kit=F6lt=E9se ut=E1n azonnal ig=E9nybevehet=F5! B=F5vebb inform=E1ci=F3t a www.777sms.hu oldalon tal=E1lsz, de siess, mert az els=F5 ezer felhaszn=E1l=F3 k=F6z=F6tt =E9rt=E9kes nyerem=E9nyeket sorsolunk ki! ------------------------ axelero.hu ---------------------------

To: claudia
Subject: Importante!
Attachment: "link.informacion.phpV23.text.message.pif"
Body:
Informacion importante que debes conocer, -

To: katya
Subject: Katya
Attachment: "view.link.index.image.phpV23.sexHdg21.pif"

To: eva
Subject: E-Kort!
Attachment: "link.ekort.index.phpV7ab4.kort.pif"
Body:
Mit hjerte banker for dig!

To: marica
Subject: Ecard!
Attachment: "link.showcard.index.phpAv23.ritm.pif"
Body:
De cand te-am cunoscut inima mea are un nou ritm!

To: anna
Subject: E-vykort!
Attachment: "link.vykort.showcard.index.phpBn23.pif"
Body:
Till min Alskade...

To: erica
Subject: E-Postkort!
Attachment: "link.postkort.showcard.index.phpAe67.pif"
Body:
Vakre roser jeg sammenligner med deg...

To: katarina
Subject: E-postikorti!
Attachment: "link.postikorti.showcard.index.phpGz42.pif"
Body:
Iloista kesaa!

To: magdolina
Subject: Atviruka!
Attachment: "link.atviruka.showcard.index.phpGz42.pif"
Body:
Linksmo gimtadieno! ha

To: beate
Subject: E-Kartki!
Attachment: "link.kartki.showcard.index.phpVg42.pif"
Body:
W Dniu imienin...

To:
Subject: Cartoe Virtuais!
Attachment: "link.cartoe.viewcard.index.phpYj39.pif"
Body:
Content: Te amo... ,

To: alice
Subject: Flashcard fuer Dich!
Attachment: "link.flashcard.de.viewcard34.php.2672aB.pif"
Body:
Hallo! hat dir eine elektronische Flashcard geschickt. Um die Flashcard ansehen zu koennen, benutze in deinem Browser einfach den nun folgenden link: http://flashcard.de/interaktiv/viewcards/view.php3?card=267BSwr34 Viel Spass beim Lesen wuenscht Ihnen ihr...

To: eva
Subject: Er staat een eCard voor u klaar!
Attachment: "postkaarten.nl.link.viewcard.index.phpG4a62.pif"
Body:
Hallo! heeft u een eCard gestuurd via de website nederlandse taal in het basisonderwijs... U kunt de kaart ophalen door de volgende url aan te klikken of te kopiren in uw browser link: http://postkaarten.nl/viewcard.show53.index=04abD1 Met vriendelijke groet, De redactie taalsite primair onderwijs...

To: hanka
Subject: Elektronicka pohlednice!
Attachment: "link.seznam.cz.pohlednice.index.php2Avf3.pif"
Body:
Ahoj! Elektronick pohlednice ze serveru http://www.seznam.cz -

To: claudine
Subject: E-carte!
Attachment: "link.zdnet.fr.ecarte.index.php34b31.pif"
Body:
vous a envoye une E-carte partir du site zdnet.fr Vous la trouverez, l'adresse suivante link: http://zdnet.fr/showcard.index.php34bs42 www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web en 5 minutes, du dialogue en direct...

To: francesca
Subject: Ti e stata inviata una Cartolina Virtuale!
Attachment: "link.cartoline.it.viewcard.index.4g345a.pif"
Body:
Ciao! ha visitato il nostro sito, cartolina.it e ha creato una cartolina virtuale per te! Per vederla devi fare click sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a Attenzione, la cartolina sara visibile sui nostri server per 2 giorni e poi verra rimossa automaticamente.

To: jennifer
Subject: You`ve got 1 VoiceMessage!
Attachment: "link.voicemessage.com.listen.index.php1Ab2c.pif"
Body:
Dear Customer! You`ve got 1 VoiceMessage from voicemessage.com website! Sender: You can listen your Virtual VoiceMessage at the following link: http://virt.voicemessage.com/index.listen.php2=35affv or by clicking the attached link. Send VoiceMessage! Try our new virtual VoiceMessage Empire! Best regards: SNAF.Team (R).

To: anita
Subject: Tessek mosolyogni!!!
Attachment: "meztelen csajok fociznak.flash.jpg.pif"
Body:
Ha ez a k=E9p sem tud felviditani, akkor feladom! Sok puszi:

To: anita
Subject: Soxor Csok!
Attachment: "anita.image043.jpg.pif"
Body:
Szia! Aranyos vagy, j=F3 volt dumcsizni veled a neten! Rem=E9lem tetszem, =E9s szeretn=E9m ha te is k=FClden=E9l k=E9pet magadr=F3l, addig is cs=F3k: )l@

To: jennifer
Subject: Don`t worry, be happy!
Attachment: "www.ecard.com.funny.picture.index.nude.php356.pif"
Body:
Hi Honey! I`m in hurry, but i still love ya... (as you can see on the picture) Bye - Bye:

To: david
Subject: Check this out kid!!!
Attachment: "jennifer the wild girl xxx07.jpg.pif"
Body:
Send me back bro, when you`ll be done...(if you know what i mean...) See ya,

In addition to these messages, the worm may also arrive with a random attachment name using one of the following extensions:

  • .com
  • .exe
  • .pif

P2P Propagation

The worm copies itself to directories on the C: drive containing one of the following strings:

  • share
  • upload

The filename the worm copies itself with is:

  • Total Commander 7.0 full_install.exe
  • winamp 7.0 full_install.exe

File overwriting payload

The worm searches for directories of anti-virus and personal firewall software, and then overwrites the executables in there with a copy of itself. The worm may also overwrite other .exe files in folders within the Program Files folder.

Process termination payload

In an attempt to thwart manual identification and cleaning of an infected machine, the worm will attempt to terminate processes containing any of the following strings:

  • regedit
  • msconfig
  • task
   

All Users
Use the specified DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Stinger
Stinger  has been updated to assist in detecting and repairing this threat.

McAfee System Compliance Profiler
Create a rule that matches a registry key

  1. Select HKEY_LOCAL_MACHINE from the drop-down box
  2. In the next field, type in the path SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  3. In the next field, type in _Hazafibb
  4. In the next drop-down box, select "Registry value does not exist"

McAfee Threatscan
ThreatScan signatures that can detect the W32/Zafi.b@MM virus are available from:

ThreatScan Signature version: 2004-06-14

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

  • Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
    -or-
  • Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:

  • Run the "ThreatScan Template Report"
  • Look for module number #4075
   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95