FRISK Software International


Summary of W32/Zafi.G@mm
Discovered: 26 Sep 2005
Definition files: 26 Sep 2005
Risk Level: High
Distribution:Low
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/Zafi.G is a mass mailing worm with backdoor capabilities. It copies itself to all folders containing "share", "upload", "music" and "startup" in their names under the name "Adobe Acrobat 8.0.exe" or "Divx Player 7.0.exe". This is done in an effort to propagate via peer to peer networks. It harvests e-mail addresses from the infected computer and sends itself as an attachment to those addresses. The worm sends e-mails in several languages.


Technical Description
When W32/Zafi.G is first run it displays a bogus messagebox showing the message:

Windows has blocked access to this image.

The worm opens up a minimal backdoor whose only capability is to accept file upload and then execute the uploaded file.

Creates the mutex "__ZF5"

Terminates the following processes if found running:

nmain.exe
Luall.exe
nod32.exe
gcasDtServ.exe
nod32krn.exe
nod32kui.exe
AVLTMAIN.EXE
MRT.exe
gcasServ.exe
avginet.exe
inetupd.exe
fpavupdm.exe
Updater.exe
pcclient.exe
F-StopW.exe
drwebupw.exe
QH32.EXE
QHM32.EXE
LIVEUP.exe
savmain.exe
savprogess.exe
nod32.exe
bdmcon.exe
bdlite.exe
McUpdate.exe
mcmnhdlr.exe
VBInstTmp.exe
vbcmserv.exe
vbcons.exe
fspex.exe

Terminates services with the following display names:

Windows Firewall/Internet Connection Sharing (ICS)
AMON
Security Center


Filesystem

Searches the hard drives C:\ through H:\ for filenames with any of the following extensions:

htm
wab
txt
dbx
tbb
asp
php
sht
adb
mbx
eml
pmr
fpt
inb

and directory names with any of following substrings:

share
upload
music
startup

The worm harvests e-mail addresses from the files found and copies itself to the above-mentioned directories under either of these names:

Adobe Acrobat 8.0.exe
Divx Player 7.0.exe


The worm copies itself to %WINDIR%\system32\%AV%_Update-%NUM%.exe

where %NUM% is some randomly generated number and %AV% is "Symantec" or one of the following if their product is installed:

Kaspersky
McAfee
Panda
Sophos
Trend


The worm can do this more than once with different random numbers.

Creates multiple files named %NUM%Z.dll where %NUM% is some random number. Some of these files contain harvested e-mail addresses and others are a copy of the worm.


Registry

Creates the key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\__ZF5]

and adds several values to it, so that it can locate its files and e-mailing information, amongst other things.

Queries the registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Account Manager]

to find an e-mail server.

Queries the registry key

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

to see if any of the following antivirus products are installed on the system:

Kaspersky
McAfee
Panda
Sophos
Trend

Adds value:

"__ZF5"="%WINDIR%\system32\%AV%_update-%NUM%.exe"

to the key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

for one of the %WINDIR%\system32\%AV%_update-%NUM%.exe files.


Mail routine

The worm can send e-mails in several languages.

It avoids sending itself to e-mail addresses containing the strings:

google
sale
service
info
help
admi
webm
micro
msn
hotm
suppor
soft.
zonela

Depending on the language of the e-mail, the attachment can have one of the following names:

udvozlolap
tarjeta
greeting
postcard
pohlednic
grusskarte
carte
galerij


The attachment has one of the following extensions:

cmd
scr
pif
com
zip



Removal Instructions
For general removal instructions please click here.

Marteinn Žór Haršarson
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is