Virus Profile: W32/Zafi@MM

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 4/19/2004
Date Added: 4/19/2004
Origin: Hungary
Length: 11776 bytes
Type: Virus
Subtype: Internet Worm
DAT Required: 4352
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Existance of files and registry keys as mentioned above.
  • Process termination
  • Network traffic 
  • On the 1st of May 2004, the worm displays a political message.

Methods of Infection

This worm does not use any exploit code in order to execute the mail attachment automatically. A user has to doubleclick on an infected attachment to infected the machine.


w32.erkez.a@mm (Symantec)

Virus Characteristics

This threat is proactive detected, by 4250 DATs and 4.3.20 engine with 'program heuristics' enabled, as 'New Malware.b'.

Note: This worm does send itself only to addresses that end with the top level domain .HU.

When executed, the worm copies itself twice to the %windir%\system32 folder using a random name and .EXE and .DLL extension.


It creates a registry key, so the file gets executed every time the machine starts:
  "xqmguqdx" = C:\WINDOWS\System32\bawtsuoc.exe I3

Than it starts searching the for email addresses on the local harddisk and stores the harvested addresses in five files in the system32 folder using random names and the fileextension .DLL


References to these files are stored within the following key, which is also created by the worm:

When it finds an address that ends with .HU, it sends itself to that address, than it combines the domain name and top level domain (e.g.: and generates new email addresses with random names.

The emails do always have the same attachment and subject:

From : [spoofed sender]
To : [harvested address]
Subject : Kepeslap erkezett 
Body :

Tisztelt felhasználó!

Önnek képeslapja érkezett!
A képeslap feladója: [spoofed address]
A lapot az alábbi cimen tudja megtekinteni:
vagy a mellékelt internetlink kattintásával.

Üdvözlettel: Matav e-card!



Dear Customer!

You received a new e-card!
Sender: [spoofed address]
You can view your e-card at the following address:
or by clicking the attached Internet-link.
Best regards: Matav e-card

Attachment :

The worm monitors the processlist and terminates programs with these filenames:

  • dfw.exe
  • fsav32.exe
  • fsbwsys.exe
  • fsgk32.exe
  • fsm32.exe
  • fssm32.exe
  • fvprotect.exe
  • mcagent.exe
  • navapw32.exe
  • navdx.exe
  • navstub.exe
  • navw32.exe
  • nc2000.exe
  • ndd32.exe
  • netarmor.exe
  • netinfo.exe
  • netmon.exe
  • nmain.exe
  • nprotect.exe
  • ntvdm.exe
  • ostronet.exe
  • outpost.exe
  • pccguide.exe
  • pcciomon.exe
  • regedit.exe
  • regedit32.exe
  • taskmgr.exe
  • tnbutil.exe
  • vbcons.exe
  • vbsntw.exe
  • vbust.exe
  • vsmain.exe
  • vsmon.exe
  • vsstat.exe
  • winlogon.exe
  • zonalarm.exe


All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations


PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!