Threat Description

Zafi.A

Details

Aliases:Zafi.A, W32/Zafi.A@mm, I-Worm.Kapes, W32.Erkez.A@mm
Category:Malware
Type:Email-Worm
Platform:W32

Summary



Zafi is a mass-mailing worm that sends infected emails with Hungarian text and an attachment disguised as a link.The worm sends emails only to addresses that end with .hu so it is not likely to spread outside Hungary.Zafi was programmed to be active only in April and will cease to work starting from the 1st of May.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details



System Infection

When first run, Zafi copies itself to the Windows System Directory with a random name. The copy is then added to the registry with a random name under

HKLMSoftware\Microsoft\Windows\CurrentVersion\Run

To disguise its presence the worm opens a random link from the user's browser history. This tries to make the user believe that an actual link was opened from the infected email.

Another copy of the worm is created with a random name and '.DLL' extension.

The list of addresses the worm collects is written to several other '.DLL' files in the System Directory.

Email Propagation

Zafi collects email addresses by scanning through files with the following extensions:

htm
 wab
 txt
 dbx
 tbb
 asp
 php
 sht
 adb
 mbx
 eml
 pmr

The worms sends infected messages to all addresses that end with '.hu'.

The infected emails have the following structure:

From: <infected@sender> or <kepeslapok@meglep.hu>
 To: <targeted@user>
 Subject: kepeslap erkezett!
 Tisztelt felhaszn¡lo!
 annek kepeslapja erkezett!
 A kepeslap feladoja: Erzsi
 A lapot az alibbi cimen tudja megtekinteni:
 http//matav.hu/viewcard/index=p4uo5683535GSb0123fhhf578840f0623cv2
 vagy a mellekelt internetlink kattintisival.
 
 Ã…€œdv¶zlettel: Matav e-card!
 http//www.netezz.matav.hu/
 

The attachment is named to 'link.matav.hu.viewcard.index42ADR4502HHJeTYWYJDF334GSDEv25546.com'.

Payload

On 1st of May Zafi displays a political message and exits.

The other payload is a routine that terminates processes of different security applications and system tools:

zonalarm.exe
 vbsntw.exe
 vbcons.exe
 pccguide.exe
 outpost.exe
 regedit.exe
 regedit32.exe
 navapw32.exe
 pcciomon.exe
 navdx.exe
 navstub.exe
 navw32.exe
 nc2000.exe
 ndd32.exe
 netmon.exe
 netarmor.exe
 netinfo.exe
 nmain.exe
 nprotect.exe
 ntvdm.exe
 ostronet.exe
 vsmain.exe
 vsmon.exe
 vsstat.exe
 vbust.exe
 mcagent.exe
 fsav32.exe
 fssm32.exe
 fsm32.exe
 fsbwsys.exe
 fsgk32.exe
 dfw.exe
 tnbutil.exe
 taskmgr.exe
 winlogon.exe
 fvprotect.exe
 





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More