Home / malware

PDF

Win32.Zafi.D@mm

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Zafi.D@mm is also known as W32/Zafi.d@MM, Email-Worm.Win32.Zafi.d.

Explanation :

The virus arrives via e-mail, in the following formats (for: .hu .de .nl .cz .fr .it .com .ru)

From: spoofed

Subject: one of:
Christmas Kort!
Christmas Vykort!
Christmas Postkort!
Christmas postikorti!
Christmas Atviruka!
Christmas - Kartki!
Weihnachten card.
Prettige Kerstdagen!
Christmas pohlednice

Body: a Christmas card with yellow stars and the following message at the bottom:

Picture Size: 11 KB, Mail: +OK

Once the attachment has been executed, the virus will do the following:

1. Creates the "Wxp4" mutex so as not to be run multiple times

2. Prevents execution of the processes containing: reged, msconfig, task, (eg: regedit, taskman, taskmon, mstask, msconfig)

3. Searches for e-mail addresses in files matching: htm,wab,txt,dbx,tbb,asp,php,sht,adb,mbx,eml,pmr,fpt,inb

4. Avoids e-mail addresses containing: yaho,google,win,use,info,help,admi,webm,micro,msn,hotm,suppor,syman,viru,trend,secur,panda,cafee,sopho,kasper

5. Stores found e-mail addresses in random named dll files in %SYSTEM% folder

6. Creates registry key and entries:

[HKEY_LOCAL_MACHINESoftwareMicrosoftWxp4]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun"Wxp4"="%SYSTEM%Norton Update.exe"]

7. Uses it's own SMTP engine to send itself to harvested e-mails. Attempts to obtain a smtp server address by adding smtp. or mx. etc to the domain from the harvested address or uses a default smtp address.

8. Creates copies of the virus in folders containing "share", "upload" or "music, as "winamp 5.7 new!.exe" and/or "ICQ 2005a new!.exe"

9. May create file c:s.cm

Last update 21 November 2011

 

TOP