SecurityHome.eu Win32.Zafi.B@mm

Home / malware PDF

Win32.Zafi.B@mm

First posted on 21 November 2011.
Source: BitDefender
Aliases :
Win32.Zafi.B@mm is also known as I-Worm.Zafi.B, Win32/Zafi.B, worm.
Explanation :
The virus arrives via e-mail, in the following formats (for: .hu .sp .ru .dk .ro .se .se .no .fi .lt .pl .pt .de .nl .cz .fr .it)
The From: field is spoofed

Subject: eIngyen SMS!
Body:
------------------------ hirdetés -----------------------------

A sikeres 777sms.hu és az axelero.hu támogatásával újra
indul az ingyenes sms küldõ szolgáltatás! Jelenleg ugyan
korlátozott számban, napi 20 ingyen smst lehet felhasználni.
Küldj te is SMST! Nehány kattintás és a mellékelt regisztrációs
lap kitöltése után azonnal igénybevehetõ! Bõvebb információt
a www.777sms.hu oldalon találsz, de siess, mert az elsõ ezer
felhasználó között értékes nyereményeket sorsolunk ki!

------------------------ axelero.hu ---------------------------

Attachment: regiszt.php?3124freesms.index777.pif

Subject: Importante!
Body: Informacion importante que debes conocer, -
Attachment: link.informacion.phpV23.text.message.pif

Subject: E-Kort!
Body: Mit hjerte banker for dig!
Attachment: link.ekort.index.phpV7ab4.kort.pif

Subject: Ecard!
Body: De cand te-am cunoscut inima mea are un nou ritm!
Attachment: link.showcard.index.phpAv23.ritm.pif

Subject: E-vykort!
Body: Till min Alskade...
Attachment: link.vykort.showcard.index.phpBn23.pif

Subject: E-Postkort!
Body: Vakre roser jeg sammenligner med deg...
Attachment: link.postkort.showcard.index.phpAe67.pif

Subject: E-postikorti!
Body: Iloista kesaa!
Attachment: link.postikorti.showcard.index.phpGz42.pif

Subject: Atviruka!
Body: Linksmo gimtadieno!
Attachment: link.atviruka.showcard.index.phpGz42.pif

Subject: E-Kartki!
Body: W Dniu imienin...
Attachment: link.kartki.showcard.index.phpVg42.pif

Subject: Cartoe Virtuais!
Body: Te amo...
Attachment: link.cartoe.viewcard.index.phpYj39.pif

Subject: Flashcard fuer Dich!
Body: Hallo!

hat dir eine elektronische Flashcard geschickt.
Um die Flashcard ansehen zu koennen, benutze in deinem Browser
einfach den nun folgenden link:
http://flashcard.de/interaktiv/viewcards/view.php3?card=267BSwr34

Viel Spass beim Lesen wuenscht Ihnen ihr...

Attachment: link.flashcard.de.viewcard34.php.2672aB.pif

Subject: Er staat een eCard voor u klaar!
Body: Hallo!

heeft u een eCard gestuurd via de website nederlandse
taal in het basisonderwijs...
U kunt de kaart ophalen door de volgende url aan te klikken of te
kopiren in uw browser link:
http://postkaarten.nl/viewcard.show53.index=04abD1

Met vriendelijke groet,
De redactie taalsite primair onderwijs...

Attachment: postkaarten.nl.link.viewcard.index.phpG4a62.pif

Subject: Elektronicka pohlednice!
Body: Ahoj!

Elektronick pohlednice ze serveru http://www.seznam.cz

Attachment: link.seznam.cz.pohlednice.index.php2Avf3.pif

Subject: E-carte!
Body: vous a envoye une E-carte partir du site zdnet.fr
Vous la trouverez, l'adresse suivante link:
http://zdnet.fr/showcard.index.php34bs42
www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web
en 5 minutes, du dialogue en direct...

Attachment: link.zdnet.fr.ecarte.index.php34b31.pif

Subject: Ti e stata inviata una Cartolina Virtuale!
Body: Ciao!

ha visitato il nostro sito, cartolina.it e ha creato una
cartolina virtuale per te! Per vederla devi fare click
sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a
Attenzione, la cartolina sara visibile sui nostri server per
2 giorni e poi verra rimossa automaticamente.

Attachment: link.cartoline.it.viewcard.index.4g345a.pif

Subject: You`ve got 1 VoiceMessage!
Body: Dear Customer!

You`ve got 1 VoiceMessage from voicemessage.com website!
Sender:
You can listen your Virtual VoiceMessage at the following link:
http://virt.voicemessage.com/index.listen.php2=35affv
or by clicking the attached link.

Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).

Attachment: link.voicemessage.com.listen.index.php1Ab2c.pif

Subject: Tessek mosolyogni!!!
Body: Ha ez a kép sem tud felviditani, akkor feladom!

Sok puszi:

Attachment: meztelen csajok fociznak.flash.jpg.pif

Subject: Soxor Csok!
Body: Szia!

Aranyos vagy, jó volt dumcsizni veled a neten!
Remélem tetszem, és szeretném ha te is küldenél képet
magadról, addig is csók:

Attachment: anita.image043.jpg.pif

Subject: Don`t worry, be happy!
Body: Hi Honey!

I`m in hurry, but i still love ya...
(as you can see on the picture)

Bye - Bye:

Attachment: www.ecard.com.funny.picture.index.nude.php356.pif

Subject: Check this out kid!!!
Body: Send me back bro, when you`ll be done...(if you know what i mean...)

See ya,

Attachment: jennifer the wild girl xxx07.jpg.pif

Once the attachment has been executed, the virus will do the following:

1. Creates mutex _Hazafibb

2. Prevents execution of the processes containing: regedit, msconfig, task, (eg: regedit, taskman, taskmon, mstask, msconfig)

3. Deletes the following files from Windows folder: fvprotect.exe winlogon.exe services.exe jammer2nd.exe

4. Checks if the computer is connected to the internet by attempting to contact google.com or microsoft.com

5. Searches for e-mail addresses in files matching: htm,wab,txt,dbx,tbb,asp,php,sht,adb,mbx,eml,pmr

6. Avoids e-mail addresses containing: win, use, info, help, admi, webm, micro, msn, hotm, suppor, syma, vir, trend, panda, yaho, cafee, sopho, google, kasper, msn, office, nero, icq, game, winra, winzi, divx, movie, total, wina

7. Stores found e-mail addresses in random named dll files in %SYSTEM% folder

8. Creates registry key and entries:

[HKEY_LOCAL_MACHINESoftwareMicrosoft\_Hazafibb]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun"_Hazafibb"="%SYSTEM%\%random%.exe"]

9. Uses it's own SMTP engine to send itself to harvested e-mails. Attempts to obtain a smtp server address by adding smtp. or mx. etc to the domain from the harvested address or uses a default smtp address.

10. Creates copies of the virus in folders containing "share" or "upload" as winamp 7.0 full_install.exe and/or Total Commander 7.0 full_install.exe

11. Creates a thread that attempts to flood: www.parlament.hu, www.virusbuster.hu, www.virushirado.hu, www.2f.hu

12. May create files C:SYS.TXT and _upload.exe

13. The virus contains the following string:

A hajlektalanok elhelyezeset, a bunteto torvenyek szigoritasat, es a HALALBUNTETES MEGSZAVAZASAT koveteljuk a kormanytol, a novekvo bunozes ellen!2004, jun, Pecs,(SNAF Team).
Last update 21 November 2011

TOP

Malware :

None in database

Last 20