Virus Profile: W32/Zafi.d@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 12/14/2004
Date Added: 12/14/2004
Origin: N/A
Length: 11,745 bytes (EXE)
Type: Virus
Subtype: E-mail worm
DAT Required: 4414
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Installation

Displays a fake error message upon executing:

The worm drops the following files to the %windir%\system32 folder:

  • C:\WINNT\system32\<RANDOM />.EXE - 11,745 bytes
  • C:\WINNT\system32\<RANDOM.DLL li="" ytes="" -="" />
  • C:\WINNT\system32\Norton Update.exe - 11,745 bytes
  • C:\WINNT\system32\<RANDOM />.DLL - (worm zipped up)
  • C:\s.cm - 20,552 bytes (winzip dll module)

It creates a registry key, so the file gets executed every time the machine starts:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run "Wxp4" = C:\WINDOWS\SYSTEM32\Norton Update.exe

It creates the following registry key to store information of the worm:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wxp4

TCP port 8181 is opened on the infected system.

Methods of Infection

This worm does not use any exploit code in order to execute the mail attachment automatically. A user has to doubleclick on an infected attachment or a file shared via P2P to infect the machine.

For machines where the worm has overwritten binaries associated with AV or firewall software, it would be very easy for a user to mistakenly execute the worm.

Aliases

Email-Worm.Win32.Zafi.d (AVP), Nocard.A@mm (Norman), W32.Erkez.D@mm (Symantec), W32/Zafi-D (Sophos), WORM_ZAFI.D (Trend)
   

Virus Characteristics

-- Update Dec 14th 2004 --
The risk assessment of this threat was raised to Medium due to increased prevalence. The 4414 DATs were released early for this threat.
--

This new variant contains the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • spoofs the From: address
  • harvests target email addresses from the victim  machine
  • outgoing email message body is either in Hungarian or English
  • displays p2p worm behaviour
  • shuts down security services

Mail Propagation

The worm can send itself as an attachment in email with any of the following extensions: ZIP, CMD, PIF, BAT or COM.

The worm harvests email addresses from files with the following extensions:

  • htm
  • wab
  • txt
  • dbx
  • tbb
  • asp
  • php
  • sht
  • adb
  • mbx
  • eml
  • pmr
  • fpt
  • inb

Harvested addresses are stored in five files in the system32 folder using random names and the file extension .DLL. For example:

  • c:\WINDOWS\SYSTEM\ckolieqt.dll
  • c:\WINDOWS\SYSTEM\fktnxowp.dll
  • c:\WINDOWS\SYSTEM\gczomkgr.dll
  • c:\WINDOWS\SYSTEM\hgtmrsvo.dll

The worm avoids sending itself to certain email addresses, those containing any of the following strings:

  • yaho
  • google
  • win
  • use
  • info
  • help
  • admi
  • webm
  • micro
  • msn
  • hotm
  • suppor
  • syman
  • viru
  • trend
  • secur
  • panda
  • cafee
  • sopho
  • kasper

The body of the email sent by the worm are in the form of Christmas greetings. Like previous variants, the worm sends itself out in different languages depending on the Top Level Domain (TLD) of the recipient's address. For example, a user with a .COM mail address, will receive the English mail body, while someone with an .DE Mail address will receive the German body.

Below is an example of an email sent by this worm. The graphic and format of the email in other languages are the same.

P2P Propagation

The worm copies itself to directories on the C: drive containing one of the following strings:

  • share
  • upload
  • music

It copies itself using the below filenames:

  • winamp 5.7 new!.exe
  • ICQ 2005a new!.exe

Payload

In an attempt to thwart manual identification and cleaning of an infected machine, the worm will attempt to render the following processes containing the following strings unavailable:

  • reged
  • msconfig
  • task

The worm also attempts to shutdown security services like firewalls, and AV software upon execution.

   

All Users
 Detection and cleaning of this threat was included in the 4414 DAT files which were released early for this threat.

Manual removal
 As mentioned above, once active on the system the worm prevents the use of Windows Task Manager to find and terminate its process. Because of this, it is recommended that the user restarts the machine in Safe Mode in order to perform manual removal.

1. Restart the machine in Safe Mode.
2. Delete the "Norton Update.exe" (11,745 bytes) file from the Windows system directory.
3. Remove the following Registry key:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wxp4

4. Remove the startup hook the worm added in the Registry. Delete the following value:

  • "Wxp4" = C:\WINDOWS\SYSTEM32\Norton Update.exe

from within the following key:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\Run

5. The copy of the worm with a random filename (.dll extension) and the randomly named .dll files the worm uses for storing harvested data in the Windows system directory can be manually deleted.

Network General Sniffer
 A Network General Sniffer filter is available at http://www.networkgeneral.com/SnifferFilters_Details.aspx?Type=1