1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Zafi.A

Zafi.A

ALIAS:W32/Zafi.A@mm, I-Worm.Kapes, W32.Erkez.A@mm
SIZE:11776
ORIGIN:Hungary

Summary

Zafi is a mass-mailing worm that sends infected emails with Hungarian text and an attachment disguised as a link. The worm sends emails only to addresses that end with .hu so it is not likely to spread outside Hungary. Zafi was programmed to be active only in April and will cease to work starting from the 1st of May.

Disinfection

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.


Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

Additional Details

System Infection

When first run, Zafi copies itself to the Windows System Directory with a random name. The copy is then added to the registry with a random name under

HKLMSoftware\Microsoft\Windows\CurrentVersion\Run

To disguise its presence the worm opens a random link from the user's browser history. This tries to make the user believe that an actual link was opened from the infected email.

Another copy of the worm is created with a random name and '.DLL' extension.

The list of addresses the worm collects is written to several other '.DLL' files in the System Directory.


Email Propagation

Zafi collects email addresses by scanning through files with the following extensions:


 htm
 wab
 txt
 dbx
 tbb
 asp
 php
 sht
 adb
 mbx
 eml
 pmr

The worms sends infected messages to all addresses that end with '.hu'.

The infected emails have the following structure:


 From: <infected@sender> or <kepeslapok@meglep.hu>
 To: <targeted@user>
 Subject: kepeslap erkezett!


 Tisztelt felhasználó!


 Önnek képeslapja érkezett!
 A képeslap feladója: Erzsi
 A lapot az alábbi cimen tudja megtekinteni:
 http//matav.hu/viewcard/index=p4uo5683535GSb0123fhhf578840f0623cv2
 vagy a mellékelt internetlink kattintásával.


 Üdvözlettel: Matav e-card!
 http//www.netezz.matav.hu/

The attachment is named to 'link.matav.hu.viewcard.index42ADR4502HHJeTYWYJDF334GSDEv25546.com'.


Payload

On 1st of May Zafi displays a political message and exits.

The other payload is a routine that terminates processes of different security applications and system tools:


 zonalarm.exe
 vbsntw.exe
 vbcons.exe
 pccguide.exe
 outpost.exe
 regedit.exe
 regedit32.exe
 navapw32.exe
 pcciomon.exe
 navdx.exe
 navstub.exe
 navw32.exe
 nc2000.exe
 ndd32.exe
 netmon.exe
 netarmor.exe
 netinfo.exe
 nmain.exe
 nprotect.exe
 ntvdm.exe
 ostronet.exe
 vsmain.exe
 vsmon.exe
 vsstat.exe
 vbust.exe
 mcagent.exe
 fsav32.exe
 fssm32.exe
 fsm32.exe
 fsbwsys.exe
 fsgk32.exe
 dfw.exe
 tnbutil.exe
 taskmgr.exe
 winlogon.exe
 fvprotect.exe