F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Zafi.A

[Summary] | [Disinfection] | [Detailed Description] | [Detection]



NAME:Zafi.A
ALIAS:W32/Zafi.A@mm, I-Worm.Kapes, W32.Erkez.A@mm
SIZE:11776
ORIGIN:Hungary

Summary

Zafi is a mass-mailing worm that sends infected emails with Hungarian text and an attachment disguised as a link.

The worm sends emails only to addresses that end with .hu so it is not likely to spread outside Hungary.

Zafi was programmed to be active only in April and will cease to work starting from the 1st of May.

Disinfection

F-Secure provides the special disinfection utility to eliminate Zafi.A worm infection. You can download this utility from our ftp site:

ftp://ftp.f-secure.com/anti-virus/tools/f-zafi.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-zafi.zip

Disinfection instructions can be found here:

ftp://ftp.f-secure.com/anti-virus/tools/f-zafi.txt

System administrators who are using F-Secure Policy Manager, can distribute the tool as a JAR package automatically to all workstations.

System administrators can download the JAR version from:

http://www.f-secure.com/tools/f-zafi.jar

ftp://ftp.f-secure.com/anti-virus/tools/f-zafi.jar

Back to the Top


Detailed Description

System Infection

When first run, Zafi copies itself to the Windows System Directory with a random name. The copy is then added to the registry with a random name under

HKLMSoftware\Microsoft\Windows\CurrentVersion\Run

To disguise its presence the worm opens a random link from the user's browser history. This tries to make the user believe that an actual link was opened from the infected email.

Another copy of the worm is created with a random name and '.DLL' extension.

The list of addresses the worm collects is written to several other '.DLL' files in the System Directory.

Email Propagation

Zafi collects email addresses by scanning through files with the following extensions: 

 htm
 wab
 txt
 dbx
 tbb
 asp
 php
 sht
 adb
 mbx
 eml
 pmr

The worms sends infected messages to all addresses that end with '.hu'.

The infected emails have the following structure: 

 From: <infected@sender> or <kepeslapok@meglep.hu>
 To: <targeted@user>
 Subject: kepeslap erkezett!


 Tisztelt felhasználó!


 Önnek képeslapja érkezett!
 A képeslap feladója: Erzsi
 A lapot az alábbi cimen tudja megtekinteni:
 http//matav.hu/viewcard/index=p4uo5683535GSb0123fhhf578840f0623cv2
 vagy a mellékelt internetlink kattintásával.


 Üdvözlettel: Matav e-card!
 http//www.netezz.matav.hu/

The attachment is named to 'link.matav.hu.viewcard.index42ADR4502HHJeTYWYJDF334GSDEv25546.com'.

Payload

On 1st of May Zafi displays a political message and exits.

The other payload is a routine that terminates processes of different security applications and system tools: 

 zonalarm.exe
 vbsntw.exe
 vbcons.exe
 pccguide.exe
 outpost.exe
 regedit.exe
 regedit32.exe
 navapw32.exe
 pcciomon.exe
 navdx.exe
 navstub.exe
 navw32.exe
 nc2000.exe
 ndd32.exe
 netmon.exe
 netarmor.exe
 netinfo.exe
 nmain.exe
 nprotect.exe
 ntvdm.exe
 ostronet.exe
 vsmain.exe
 vsmon.exe
 vsstat.exe
 vbust.exe
 mcagent.exe
 fsav32.exe
 fssm32.exe
 fsm32.exe
 fsbwsys.exe
 fsgk32.exe
 dfw.exe
 tnbutil.exe
 taskmgr.exe
 winlogon.exe
 fvprotect.exe


Back to the Top


Detection

Detection for this malware was published on April 19th, 2004 in the following F-Secure Anti-Virus updates:

[FSAV_Database_Version]

Version=2004-04-19_02

Back to the Top


Technical Details: Gergely Erdelyi, April 19th, 2004;

Description Updated: Alexey Podrezov, June 15th, 2004;

F-Secure Corporation