FRISK Software International


Summary of W32/Zafi.B@mm
Alias:W32.Erkez.B@mm
Length: 12800 bytes
Discovered: 11 Jun 2004
Definition files: 13 Jun 2004
Risk Level: Low
Distribution:Low
Infection Method:Arrives as an e-mail containing infected attachment.
Payload: Spreads by sending infected e-mails to addresses harvested from the infected system.
 
Jump to:
Brief description
Technical description

Brief Description
The Zafi.B is a mass-mailing worm, packed with FSG, with the size of 12800 bytes.
The worm will copy itself from its current location to the %systemdir% under a randomly generated 8-character name (where %systemdir% translates to the system directory on the infected system, e.g. "c:\WINDOWS / c:\WINNT).
The worm will also create 11 additional files under the %systemdir% with randomly generated 8-character name and a ".dll" extensions.
Additional payload the worm performs, is searching for files that have any reference to the keywords "firewall" or "virus" and if a match is made any executable files under the directory are replaced with a copy of the worm.
The Zafi.B will traverse through the fixed drives mentioned above, placing a copy of itself under the name of "winamp 7.0 full_install.exe" or "Total Commander 7.0 full_install.exe" in any directory containing "share" or "upload" in their name.



As other variants of the Zafi family, the worm stores runtime information in the registry. The base location for those information, is the following key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\_Hazafibb]



The Zafi.B primary infection vector, is mass-mailing which is performed through an smtp routine within the worms body. The worm will attempt to harvest addresses contained within the "Windows address book" and by scanning fixed drives that might be present from "C:\" through "H:\" looking for files with the following extensions: ".htm", ".wab", ".txt", ".dbx", ".tbb", ".asp", ".php", ".sht", ".adb", ".mbx", ".eml", ".pmr".
The worm will try to avoid sending e-mails to addresses that contain the following strings:
"win", "use", "info", "help", "admi", "webm", "micro", "msn", "hotm", "suppor", "syma", "vir", "trend", "panda", "yaho", "cafee", "sopho", "google", "kasper".
The worm contains hardcoded bodys that are localized for the following domains: ".hu", ".sp", ".ru", ".dk", ".ro", ".se", ".no", ".fi", ".lt", ".pl", ".pt", ".de", ".nl", ".cz", ".fr", ".it", ".mx", ".at". For other domains, the worm will send out a default english template.


Technical Description
The Zafi.B is a mass-mailing worm, packed with FSG, with the size of 12800 bytes. When executed, the worm will create a mutex lock under the name of "_Hazafibb". If such a lock already exists the worm exists, unless it's given the string "_Haz" as a command line parameter in which case it will resume normal execution.

When initially executed, the worm will copy itself from its current location to the %systemdir% under a randomly generated 8-character name (where %systemdir% translates to the system directory on the infected system, e.g. "c:\WINDOWS / c:\WINNT).
The worm will also create 11 additional files under the %systemdir% with randomly generated 8-character name and a ".dll" extensions, these files contain various data gathered and/or generated at runtime by the worm.
The worm creates a file under the name of "sys.txt" on the local harddrive. At times the worm will copy the default "Internet Explorer" program as "sys.txt".
Depending on certain factors, the worm might open a browser window, displaying the last URL visited on the infected system.

Additional payload the worm performs, is searching for files that have any reference to the keywords "firewall" or "virus" and if a match is made any executable files under the directory are replaced with a copy of the worm.
The Zafi.B will traverse through the fixed drives mentioned above, placing a copy of itself under the name of "winamp 7.0 full_install.exe" or "Total Commander 7.0 full_install.exe" in any directory containing "share" or "upload" in their name.



As other variants of the Zafi family, the worm stores runtime information in the registry. The base location for those information, is the following key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\_Hazafibb]

Several registry keys are created, the most important one being the following:
The "aX" values, will point to programs that the Zafi.B has terminated if active in memory and overwritten the executable files with a copy of itself.
"aA"="%Path to program%"
"aB"="%Path to program%"

"b1"="%Registered owner%"
"b2"="%Default e-mail account%"
"b3"="%systemdir%\%random 8 character name%.exe"   This value contains the name of the Zafi.B copy, residing under the system directory

The following entries store the full path for each of the 11 files created by Zafi.B to contain various informations
"b4"="%systemdir%\%random 8 character name%.dll"
...
"bE"="%systemdir%\%random 8 character name%.dll"

"cC"="%default e-mail server%"
"cD"=%counter%
"dA"="%paths of various programs searched for by the worm%"
...
"dI"="%paths of various programs searched for by the worm%"


The Zafi.B primary infection vector, is mass-mailing which is performed through an smtp routine within the worms body. The worm will attempt to harvest addresses contained within the "Windows address book" and by scanning fixed drives that might be present from "C:\" through "H:\" looking for files with the following extensions: ".htm", ".wab", ".txt", ".dbx", ".tbb", ".asp", ".php", ".sht", ".adb", ".mbx", ".eml", ".pmr".
The worm will try to avoid sending e-mails to addresses that contain the following strings:
"win", "use", "info", "help", "admi", "webm", "micro", "msn", "hotm", "suppor", "syma", "vir", "trend", "panda", "yaho", "cafee", "sopho", "google", "kasper".
The worm contains hardcoded bodys that are localized for the following domains: ".hu", ".sp", ".ru", ".dk", ".ro", ".se", ".no", ".fi", ".lt", ".pl", ".pt", ".de", ".nl", ".cz", ".fr", ".it", ".mx", ".at". For other domains, the worm will send out a default english template.
A typical message sent by the W32/Zafi.B worm might have look like the following:


[From:] Anita
[Body:] eIngyen SMS!
[Filename:] "regiszt.php?3124freesms.index777.pif"

[From:] Claudia
[Subject:]eImportante!
[Filename:] "link.informacion.phpV23.text.message.pif"
[Body:] Informacion importante que debes conocer, -

[From:] Katya
[Subject:] oKatya
[Filename:] "view.link.index.image.phpV23.sexHdg21.pif"

[Subject:] eE-Kort!
[Filename:] "link.ekort.index.phpV7ab4.kort.pif"
[Body:] Mit hjerte banker for dig!

[From:] Marica
[Subject:] eEcard!
[Filename:] "link.showcard.index.phpAv23.ritm.pif"
[Body:] De cand te-am cunoscut inima mea are un nou ritm!

Several larger templates are also used, they include the following:
------------------------ hirdets -----------------------------

A sikeres 777sms.hu és az axelero.hu támogatásával újra
indul az ingyenes sms kuldu szolgáltatás! Jelenleg ugyan
korlátozott számban, napi 20 ingyen smst lehet felhasználni.
Kuldj te is SMST! Nehány kattintás és a mellékelt regisztrációs
lap kitöltése után azonnal igénybevehetu! Buvebb információt
a www.777sms.hu oldalon találsz, de siess, mert az elsu ezer
felhasználó között értékes nyereményeket sorsolunk ki!

------------------------ axelero.hu ---------------------------

Hallo!
hat dir eine elektronische Flashcard geschickt.
Um die Flashcard ansehen zu koennen, benutze in deinem Browser
einfach den nun folgenden link:
h__p://flashcard.de/interaktiv/viewcards/view.php3?card=267BSwr34
Viel Spass beim Lesen wuenscht Ihnen ihr...

Hallo!
heeft u een eCard gestuurd via de website nederlandse
taal in het basisonderwijs...
U kunt de kaart ophalen door de volgende url aan te klikken of te
kopiren in uw browser link:
h__p://postkaarten.nl/viewcard.show53.index=04abD1

Ahoj!
vous a envoye une E-carte partir du site zdnet.fr
Vous la trouverez, l'adresse suivante link:
h__p://zdnet.fr/showcard.index.php34bs42
www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web
en 5 minutes, du dialogue en direct...

Francesca


Ciao!

ha visitato il nostro sito, cartolina.it e ha creato una
cartolina virtuale per te! Per vederla devi fare click
sul link sottostante: h__p://cartolina.it/asp.viewcard=index4g345a
Attenzione, la cartolina sara visibile sui nostri server per
2 giorni e poi verra rimossa automaticamente.

Dear Customer!

You`ve got 1 VoiceMessage from voicemessage.com website!
You can listen your Virtual VoiceMessage at the following link:
h__p://virt.voicemessage.com/index.listen.php2=35affv
or by clicking the attached link.

Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).

Hi Honey!

I`m in hurry, but i still love ya...
(as you can see on the picture)

Bye-Bye


FSI Viruslab
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is