Virus Profile: W32/Zafi.f@MM

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 10/10/2005
Date Added: 10/10/2005
Origin: Unknown
Length: 15,673 bytes
Type: Virus
Subtype: E-mail worm
DAT Required: 4601
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection


When executed it displays a faker error message.

The worm drops the following files to the %windir%\system32 folder:

  • C:\WINNT\system32\ AntiVirus Update.exe - (Copy of itself)
  • C:\WINNT\system32\ foto5.jpz - (copy of itself)

It creates a registry key, so the file gets executed every time the machine starts:

\CurrentVersion\Run "Zi5" = C:\WINDOWS\SYSTEM32\AntiVirus Update.exe

It creates the following registry key to store information of the worm:


TCP port 2121 is opened on the infected system.

Methods of Infection

This worm does not use any exploit code in order to execute the mail attachment automatically. A user has to doubleclick on an infected attachment or a file shared via P2P to infect the machine.

For machines where the worm has overwritten binaries associated with AV or firewall software, it would be very easy for a user to mistakenly execute the worm.


Virus Characteristics

This new variant contains the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • spoofs the From: address
  • harvests target email addresses from the victim  machine
  • outgoing email message body is either in Hungarian or English
  • displays p2p worm behavior
  • shuts down security services

Mail Propagation

The worm can send itself as an attachment in email with any of the following extensions: ZIP, CMD, PIF, BAT or COM.

The worm harvests email addresses from files with the following extensions:

  • htm
  • wab
  • txt
  • dbx
  • tbb
  • asp
  • php
  • sht
  • adb
  • mbx
  • eml
  • pmr
  • fpt
  • inb

Harvested addresses are stored in five files in the system32 folder using random names and the file extension .DLL. For example:

  • c:\WINDOWS\SYSTEM32\kffxwnxr.dll
  • c:\WINDOWS\SYSTEM32\duiyaqkz.dll
  • c:\WINDOWS\SYSTEM32\zojwrmrz.dll
  • c:\WINDOWS\SYSTEM32\umxhmjkq.dll
  • c:\WINDOWS\SYSTEM32\jffrvtir.dll
  • c:\WINDOWS\SYSTEM32\gvssswhf.dll
  • c:\WINDOWS\SYSTEM32\jfcbajiw.dll
  • c:\WINDOWS\SYSTEM32\znilpgfy.dll
  • c:\WINDOWS\SYSTEM32\jarioqju.dll

The worm avoids sending itself to certain email addresses, those containing any of the following strings:

  • google
  • win
  • use
  • info
  • help
  • admi
  • webm
  • micro
  • msn
  • hotmai
  • suppor
  • soft
  • support 
  • symant
  • www
  • service
  • test
  • viru
  • trend
  • secur
  • panda
  • cafee
  • sopho
  • kasper
  • linux
  • subsc
  • sales
  • contact@
  • -faq
  • nod3
  • bitde
  • eset
  • panda
  • mcafe

The body of the email sent by the worm are in the form of a MSN Photo Email . Like previous variants, the worm sends itself out in different languages depending on the Top Level Domain (TLD) of the recipient's address. For example, a user with a .COM mail address, will receive the English mail body, while someone with an .DE Mail address will receive the German body.

Below is an example of an email sent by this worm. The graphic and format of the email in other languages are the same.

P2P Propagation

The worm copies itself to directories on the C: drive containing one of the following strings:

  • shar
  • uploa
  • musi

It copies itself using the below filenames:

  • AntiVirus Update.exe

The worm also attempts to shutdown security services like firewalls, and AV software upon execution.

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations


PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!