Virus Profile: W32/Zafi.c@MM

Threat Search
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 10/27/2004
Date Added: 10/27/2004
Origin: Hungary?
Length: 15,993 bytes (FSG packed)
Type: Virus
Subtype: E-mail worm
DAT Required: 4401
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Outgoing messages matching the description below
  • Registry keys and file system changes matching the details below


The worm drops a copies of itself within the Windows system (%SysDir%) directory:

  • c:\WINNT\system32\
  • c:\WINNT\system32\svchost.con

System startup is hooked via addition of the following Registry key:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Run "_svchost.con" = %SysDir%\

The worm creates the following Registry key, within which various data is stored (for example, filepaths of the local files created that contain harvested email addresses):


Methods of Infection

Mail Propagation

The worm contains its own SMTP engine for constructing outgoing messages. Target email addresses are harvested from the victim machine, from files with the following extensions:

  • htm
  • wab
  • txt
  • dbx
  • tbb
  • asp
  • php
  • sht
  • adb
  • mbx
  • eml
  • pmr

Harvested email addresses are stored in "SVCHOST.COn" files within %SysDir% (where n is digit). These files are referenced within the data key described above.

The worm does not send emails to addresses containing any of the following strings:

  • info
  • help
  • aol
  • webm
  • micro
  • msn
  • suppor
  • syma
  • vir
  • trend
  • panda
  • cafee
  • sopho
  • google
  • kasper

Outgoing messages are constructed with multiple subject lines, message bodies and attachment filenames.

P2P Propagation

The worm makes multiple copies of itself using the filename "DOOM33 KEYGEN.EXE" in local directories containing the following strings:

  • share
  • upload
  • downlo

For example:

  • c:\Program Files\Common Files\Microsoft Shared\doom3 keygen.exe
  • c:\WINNT\Downloaded Program Files\doom3 keygen.exe

Process termination payload

In an attempt to thwart manual identification and cleaning of an infected machine, the worm will attempt to terminate processes containing any of the following strings:

  • reged
  • msconfig
  • task

Denial of Service payload

This variant also delivers a DoS attack (HTTP) on three remote sites:


Virus Characteristics

-- Update October 27, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:,39020369,39171748,00.htm


This variant bears similarities to its predecessors, for example W32/Zafi.b@MM .

  • contains its own SMTP engine to construct outgoing messages
  • spoofs the From: address
  • harvests target email addresses from the victim machine
  • outgoing message may contain message bodies in Hungarian or English
  • the virus carries derogatory comments concerning other high profile viruses in 2004
  • the virus is intended to perform a denial of service (DoS) attack against the following web sites:

At the time of writing AVERT has received just a single sample of this virus from the field.

PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!