Virus Profile: W32/Zafi@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 4/19/2004
Date Added: 4/19/2004
Origin: Hungary
Length: 11776 bytes
Type: Virus
Subtype: Internet Worm
DAT Required: 4352
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Existance of files and registry keys as mentioned above.
  • Process termination
  • Network traffic 
  • On the 1st of May 2004, the worm displays a political message.

Methods of Infection

This worm does not use any exploit code in order to execute the mail attachment automatically. A user has to doubleclick on an infected attachment to infected the machine.

Aliases

w32.erkez.a@mm (Symantec)
   

Virus Characteristics

This threat is proactive detected, by 4250 DATs and 4.3.20 engine with 'program heuristics' enabled, as 'New Malware.b'.

Note: This worm does send itself only to addresses that end with the top level domain .HU.

When executed, the worm copies itself twice to the %windir%\system32 folder using a random name and .EXE and .DLL extension.

Example:
  C:\WINNT\system32\bawtsuoc.exe
  C:\WINNT\system32\ylhefsko.dll

It creates a registry key, so the file gets executed every time the machine starts:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
  Windows\CurrentVersion\Run
  "xqmguqdx" = C:\WINDOWS\System32\bawtsuoc.exe I3

Than it starts searching the for email addresses on the local harddisk and stores the harvested addresses in five files in the system32 folder using random names and the fileextension .DLL

Example:
  C:\WINNT\system32\dnszokke.dll
  C:\WINNT\system32\eajgrjic.dll
  C:\WINNT\system32\jgehkgju.dll
  C:\WINNT\system32\vipmcylx.dll
  C:\WINNT\system32\wthrwhbu.dll

References to these files are stored within the following key, which is also created by the worm:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hazafi


When it finds an address that ends with .HU, it sends itself to that address, than it combines the domain name and top level domain (e.g.: @domain.hu) and generates new email addresses with random names.

The emails do always have the same attachment and subject:

From : [spoofed sender]
To : [harvested address]
Subject : Kepeslap erkezett 
Body :

Tisztelt felhasználó!

Önnek képeslapja érkezett!
A képeslap feladója: [spoofed address]
A lapot az alábbi cimen tudja megtekinteni:
http//matav.hu/viewcard/index=p4uo5683535GSb0123fhhf578840f0623cv2
vagy a mellékelt internetlink kattintásával.

Üdvözlettel: Matav e-card!
http//www.netezz.matav.hu/


Example:

Translated:

Dear Customer!

You received a new e-card!
Sender: [spoofed address]
You can view your e-card at the following address:
http//matav.hu/viewcard/index=p4uo5683535GSb0123fhhf578840f0623cv2
or by clicking the attached Internet-link.
Best regards: Matav e-card
http//www.netezz.matav.hu/

Attachment :
link.matav.hu.viewcard.index42ADR4502HHJeTYWYJDF334GSDEv25546.com

The worm monitors the processlist and terminates programs with these filenames:

  • dfw.exe
  • fsav32.exe
  • fsbwsys.exe
  • fsgk32.exe
  • fsm32.exe
  • fssm32.exe
  • fvprotect.exe
  • mcagent.exe
  • navapw32.exe
  • navdx.exe
  • navstub.exe
  • navw32.exe
  • nc2000.exe
  • ndd32.exe
  • netarmor.exe
  • netinfo.exe
  • netmon.exe
  • nmain.exe
  • nprotect.exe
  • ntvdm.exe
  • ostronet.exe
  • outpost.exe
  • pccguide.exe
  • pcciomon.exe
  • regedit.exe
  • regedit32.exe
  • taskmgr.exe
  • tnbutil.exe
  • vbcons.exe
  • vbsntw.exe
  • vbust.exe
  • vsmain.exe
  • vsmon.exe
  • vsstat.exe
  • winlogon.exe
  • zonalarm.exe


   

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95