FRISK Software International


Summary of W32/Zafi.D@mm
Alias:W32.Erkez.D@mm
Length: 11.745 bytes
Discovered: 14 Dec 2004
Definition files: 14 Dec 2004
Risk Level: High
Distribution:High
Infection Method:Spreads through e-mails containing infected attachments
Payload: Compromises the infected system security by opening a backdoor, through which external programs can be uploaded from remote location and executed
 
Jump to:
Brief description
Technical description

Brief Description
W32/Zafi.D@mm is a mass-mailing worm that creates a backdoor on infected systems. The worm arrives by e-mail intended to look like a christmas greeting card. Once executed, the worm copies itself to the system directory under the name of "Norton Update.exe". It creates several additional files containing copies of the worm along with data harvested from the system's hard drive. These files are 8-characters long with random names and a ".dll" extension.
The following registry modifications are performed:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wxp4]
Contains harvested data, pointers to files used by the worm etc.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wxp4"="%SystemDirectory%\Norton Update.exe"

The worm searches files on fixed drives from c:\ through h:\, based on extensions, harvesting e-mail addresses. Also, the worm searches through the Windows address book.


Technical Description
W32/Zafi.D@mm is a mass-mailing worm, packed with FSG, 11.745 bytes in size. When executed, the worm creates a mutex lock under the name of 'Wxp4', this ensures that only one copy of the worm is active on infected systems. The worm copies itself to the system directory, under the name of "Norton Update.exe". Similar to the A variant, the worm uses a random function to generate another copy under a random 8-character name with a ".dll" extension.
The worm also createa several other files with random 8-character names and .dll extensions. These files store data while the worm is running, including e-mail addresses both harvested and generated. Additionally, the worm creates a log file and by default saves it on the "C:\" drive under the name of "s.cm".

Like previous variants of the W32/Zafi family, the worm uses the registry to store a variety of information gathered during runtime. W32/Zafi.D@mm creates and uses the following key on infected systems:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wxp4]

The entries beginning with "t", followed by a digit or character, are similar to previous variants, and use both to contain harvested information. This includes information on the registered owner, default mail server and the names of files containing e-mail addresses that the worm harvests from the Windows address book and by scanning fixed drives that might be present from "C:\" through "H:\". The worm scans for files with the following extensions: ".htm", ".wab", ".txt", ".dbx", ".tbb", ".asp", ".php", ".sht", ".adb", ".mbx", ".eml", ".pmr", ".fpt", ".inb". The worm places a copy of itself either under the name of "winamp 5.7 new!.exe" or "ICQ 2005a new!.exe" on any folder named either "share", "upload", "music" on those fixed drives.
To ensure that the worm is executed on each Windows startup, it creates the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wxp4"="%SystemDirectory%\Norton Update.exe"

The worm displays a pop-up Window with the following caption:

CRC: 04F7Bh
Error in packed file!

The screenshot below depicts a typical e-mail sent out by W32/Zafi.D@mm:


W32/Zafi.D@mm has several hardcoded templates it chooses from when sending out e-mails. These include multi-language messages, chosen based on the top-level domain of harvested addresses. Examples of these templates are:


[From:] T. Maria
[Subject:] boldog karacsony...
[Body] Kellemes Unnepeket!

[From:] N. Fernandez
[Subject:] Feliz Navidad!
Feliz Navidad!

[From:] V. Tatyana
[Subject:] ecard.ru

[From:] Pamela M.
[Subject:] Merry Christmas!
[Body:] Happy Hollydays!

W32/Zafi.D@mm sets up 6 threads that carry out the mass-mailing routine, and an additional thread opens a backdoor on the infected system on port 8181. This backdoor enables a remote upload of a binary that is executed on the infected system. Any binary uploaded through this backdoor will be saved under the %SystemDirectory% folder.


FRISK Software
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is