W32/Zafi.D@mm is a mass-mailing worm, packed with FSG, 11.745 bytes in size. When executed, the worm creates a mutex lock under the name of 'Wxp4', this ensures that only one copy of the worm is active on infected systems. The worm copies itself to the system directory, under the name of "Norton Update.exe". Similar to the A variant, the worm uses a random function to generate another copy under a random 8-character name with a ".dll" extension.
The worm also createa several other files with random 8-character names and .dll extensions. These files store data while the worm is running, including e-mail addresses both harvested and generated. Additionally, the worm creates a log file and by default saves it on the "C:\" drive under the name of "s.cm".
Like previous variants of the W32/Zafi family, the worm uses the registry to store a variety of information gathered during runtime. W32/Zafi.D@mm creates and uses the following key on infected systems:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wxp4]
The entries beginning with "t", followed by a digit or character, are similar to previous variants, and use both to contain harvested information. This includes information on the registered owner, default mail server and the names of files containing e-mail addresses that the worm harvests from the Windows address book and by scanning fixed drives that might be present from "C:\" through "H:\". The worm scans for files with the following extensions: ".htm", ".wab", ".txt", ".dbx", ".tbb", ".asp", ".php", ".sht", ".adb", ".mbx", ".eml", ".pmr", ".fpt", ".inb". The worm places a copy of itself either under the name of "winamp 5.7 new!.exe" or "ICQ 2005a new!.exe" on any folder named either "share", "upload", "music" on those fixed drives.
To ensure that the worm is executed on each Windows startup, it creates the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wxp4"="%SystemDirectory%\Norton Update.exe"
The worm displays a pop-up Window with the following caption:
CRC: 04F7Bh
Error in packed file!
The screenshot below depicts a typical e-mail sent out by W32/Zafi.D@mm:
W32/Zafi.D@mm has several hardcoded templates it chooses from when sending out e-mails. These include multi-language messages, chosen based on the top-level domain of harvested addresses. Examples of these templates are:
[From:] T. Maria
[Subject:] boldog karacsony...
[Body] Kellemes Unnepeket!
[From:] N. Fernandez
[Subject:] Feliz Navidad!
Feliz Navidad!
[From:] V. Tatyana
[Subject:] ecard.ru
[From:] Pamela M.
[Subject:] Merry Christmas!
[Body:] Happy Hollydays!
W32/Zafi.D@mm sets up 6 threads that carry out the mass-mailing routine, and an additional thread opens a backdoor on the infected system on port 8181. This backdoor enables a remote upload of a binary that is executed on the infected system. Any binary uploaded through this backdoor will be saved under the %SystemDirectory% folder. |
