|When W32/Zafi.G is first run it displays a bogus messagebox showing the message:|
Windows has blocked access to this image.
The worm opens up a minimal backdoor whose only capability is to accept file upload and then execute the uploaded file.
Creates the mutex "__ZF5"
Terminates the following processes if found running:
Terminates services with the following display names:
Windows Firewall/Internet Connection Sharing (ICS)
Searches the hard drives C:\ through H:\ for filenames with any of the following extensions:
and directory names with any of following substrings:
The worm harvests e-mail addresses from the files found and copies itself to the above-mentioned directories under either of these names:
Adobe Acrobat 8.0.exe
Divx Player 7.0.exe
The worm copies itself to %WINDIR%\system32\%AV%_Update-%NUM%.exe
where %NUM% is some randomly generated number and %AV% is "Symantec" or one of the following if their product is installed:
The worm can do this more than once with different random numbers.
Creates multiple files named %NUM%Z.dll where %NUM% is some random number. Some of these files contain harvested e-mail addresses and others are a copy of the worm.
Creates the key:
and adds several values to it, so that it can locate its files and e-mailing information, amongst other things.
Queries the registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Account Manager]
to find an e-mail server.
Queries the registry key
to see if any of the following antivirus products are installed on the system:
to the key:
for one of the %WINDIR%\system32\%AV%_update-%NUM%.exe files.
The worm can send e-mails in several languages.
It avoids sending itself to e-mail addresses containing the strings:
Depending on the language of the e-mail, the attachment can have one of the following names:
The attachment has one of the following extensions: