Home / malwarePDF  

Win32.Zafi.A@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Zafi.A@mm is also known as W32.Erkez.A@mm, W32/Zafi-A, WORM_ZAFI.A.

Explanation :

The virus arrives in an e-mail with the next format:

From: a spoofed e-mail address or the default kepeslapok@meglep.hu
Subject: kepeslap erkezett!
Body:

Tisztelt felhasználó!

Önnek kópeslapja órkezett!
A kópeslap feladója: A lapot az alábbi cimen tudja megtekinteni:
http//matav.hu/viewcard/index=psp4uo5683535GSb0123fhhf578840f0623cv2
vagy a mellókelt internetlink kattintásával.

Üdvözlettel: Matav e-card!
http//www.netezz.matav.hu/

Attachment: link.matav.hu.viewcard.index42ADR4502HHJeTYWYJDF334GSDEv25546.com

Once run, the virus will do the following:

1. Checks if the date is 1 May 2004 and if it is, it displays the following message:



2. Creates the aforementioned 7 random named files in %SYSTEM% folder

3. Creates the aforementioned registry keys

4. Checks if the computer is connected to the internet by attempting to contact google.com

5. Attempts to terminate the following processes:

zonalarm.exe
vbsntw.exe
vbcons.exe
pccguide.exe
outpost.exe
regedit.exe
regedit32.exe
navapw32.exe
pcciomon.exe
navdx.exe
navstub.exe
navw32.exe
nc2000.exe
ndd32.exe
netmon.exe
netarmor.exe
netinfo.exe
nmain.exe
nprotect.exe
ntvdm.exe
ostronet.exe
vsmain.exe
vsmon.exe
vsstat.exe
vbust.exe
mcagent.exe
fsav32.exe
fssm32.exe
fsm32.exe
fsbwsys.exe
fsgk32.exe
dfw.exe
tnbutil.exe
taskmgr.exe
winlogon.exe
fvprotect.exe

6. Searches for e-mails in files with the next extensions:

htm, wab, txt, dbx, tbb, asp, php, sht, adb, mbx, eml, pmr

and avoids searching in files with extensions:

lnk, swp, ico, dll, vxd, mp3, wav, avi, mpg, zip, rar, exe, wmv, cab, pk3, jpg, gif, bmp

and stores found e-mail addresses in 5 randomly named dll files in %SYSTEM% folder.

7. Opens Internet Explorer with a recent typed url

8. Uses it's own smtp engine to send itself to the harvested e-mail addresses, but avoiding sending to addresses containing:

microsoft
vir
trendmicro
avp
f-prot
hotmail
gov
anti
panda
norton

Last update 21 November 2011

 

TOP