When W32/Zafi.G is first run it displays a bogus messagebox showing the message:
Windows has blocked access to this image.
The worm opens up a minimal backdoor whose only capability is to accept file upload and then execute the uploaded file.
Creates the mutex "__ZF5"
Terminates the following processes if found running:
nmain.exe
Luall.exe
nod32.exe
gcasDtServ.exe
nod32krn.exe
nod32kui.exe
AVLTMAIN.EXE
MRT.exe
gcasServ.exe
avginet.exe
inetupd.exe
fpavupdm.exe
Updater.exe
pcclient.exe
F-StopW.exe
drwebupw.exe
QH32.EXE
QHM32.EXE
LIVEUP.exe
savmain.exe
savprogess.exe
nod32.exe
bdmcon.exe
bdlite.exe
McUpdate.exe
mcmnhdlr.exe
VBInstTmp.exe
vbcmserv.exe
vbcons.exe
fspex.exe
Terminates services with the following display names:
Windows Firewall/Internet Connection Sharing (ICS)
AMON
Security Center
Filesystem
Searches the hard drives C:\ through H:\ for filenames with any of the following extensions:
htm
wab
txt
dbx
tbb
asp
php
sht
adb
mbx
eml
pmr
fpt
inb
and directory names with any of following substrings:
share
upload
music
startup
The worm harvests e-mail addresses from the files found and copies itself to the above-mentioned directories under either of these names:
Adobe Acrobat 8.0.exe
Divx Player 7.0.exe
The worm copies itself to %WINDIR%\system32\%AV%_Update-%NUM%.exe
where %NUM% is some randomly generated number and %AV% is "Symantec" or one of the following if their product is installed:
Kaspersky
McAfee
Panda
Sophos
Trend
The worm can do this more than once with different random numbers.
Creates multiple files named %NUM%Z.dll where %NUM% is some random number. Some of these files contain harvested e-mail addresses and others are a copy of the worm.
Registry
Creates the key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\__ZF5]
and adds several values to it, so that it can locate its files and e-mailing information, amongst other things.
Queries the registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Account Manager]
to find an e-mail server.
Queries the registry key
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
to see if any of the following antivirus products are installed on the system:
Kaspersky
McAfee
Panda
Sophos
Trend
Adds value:
"__ZF5"="%WINDIR%\system32\%AV%_update-%NUM%.exe"
to the key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
for one of the %WINDIR%\system32\%AV%_update-%NUM%.exe files.
Mail routine
The worm can send e-mails in several languages.
It avoids sending itself to e-mail addresses containing the strings:
google
sale
service
info
help
admi
webm
micro
msn
hotm
suppor
soft.
zonela
Depending on the language of the e-mail, the attachment can have one of the following names:
udvozlolap
tarjeta
greeting
postcard
pohlednic
grusskarte
carte
galerij
The attachment has one of the following extensions:
cmd
scr
pif
com
zip
| 