F-Secure Virus Descriptions : Zafi.B
[Summary] | [Disinfection] | [Detailed Description] | [Detection]
|
|
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2
|
A new variant of Zafi worm - Zafi.B is spreading. While the
original Zafi.A uses only Hungarian, the new Zafi.B spreads in
email in English, Italian, Spanish, Russian, Swedish etc.
The worm sends itself in emails mostly as .pif attachment and in
rare cases it sends .exe or .com.
F-Secure provides the special disinfection utility to eliminate
Zafi.B worm infection. You can download this utility from our
ftp site:
ftp://ftp.f-secure.com/anti-virus/tools/f-zafi.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-zafi.zip
Disinfection instructions can be found here:
ftp://ftp.f-secure.com/anti-virus/tools/f-zafi.txt
System administrators who are using F-Secure Policy Manager,
can distribute the tool as a JAR package automatically to all
workstations.
System administrators can download the JAR version from:
http://www.f-secure.com/tools/f-zafi.jar
ftp://ftp.f-secure.com/anti-virus/tools/f-zafi.jar
Zafi.B spreads in FSG! packed form which is 12800 bytes in size.
The body unpacks to around 30 KiB of hand-written assembly code.
System Infection
When Zafi.B is started it copies itself to the Windows System
Directory with a random .DLL and random .EXE name. The .EXE
file is added to the registry as
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"_Hazafibb" = "%SysDir%\<random>.exe"
Several additional files are created in the System Directory with
random name and .DLL extension. The worm keeps its internal data in
those.
Zafi.B enumerates all the directories in the system and copies
itself as either 'winamp 7.0 full_install.exe' or
'Total Commander 7.0 full_install.exe'
to the ones that contain 'share' or 'upload' in their name.
Email Propagation
Zafi.B looks into the Windows Address Book and different files and tries to
gather email addresses. Files with the following extensions are checked:
htm
wab
txt
dbx
tbb
asp
php
sht
adb
mbx
eml
pmr
Using its own SMTP engine the worm sends messages with infected attachments
in many different languages.
For email addresses in the following domains the worms sends messages
in the respective languages:
.hu .sp .ru .dk .ro .se .no .fi .lt .pl .pt .de .nl .cz .fr .it .mx .at
For Hungarian recipients there are three different messages. Any recipient
that is not on the list (including .COM, .NET, etc.) is sent one of the
three predefined English messages.
Sender: Anita
Subject: eIngyen SMS!
Attachment: "regiszt.php?3124freesms.index777.pif"
------------------------ hirdetés -----------------------------
A sikeres 777sms.hu és az axelero.hu támogatásával újra
indul az ingyenes sms küld? szolgáltatás! Jelenleg ugyan
korlátozott számban, napi 20 ingyen smst lehet felhasználni.
Küldj te is SMST! Nehány kattintás és a mellékelt regisztrációs
lap kitöltése után azonnal igénybevehet?! B?vebb információt
a www.777sms.hu oldalon találsz, de siess, mert az els? ezer
felhasználó között értékes nyereményeket sorsolunk ki!
------------------------ axelero.hu ---------------------------
Sender: Anita
Subject: eTessek mosolyogni!!!
Attachment: "meztelen csajok fociznak.flash.jpg.pif"
Ha ez a kép sem tud felviditani, akkor feladom!
Sok puszi:
Sender: Anita
Subject: eSoxor Csok!
Attachment: "anita.image043.jpg.pif"
Sender: Claudia
Subject: eImportante!
Attachment: "link.informacion.phpV23.text.message.pif"
Informacion importante que debes conocer, -
Sender: Katya
Subject: oKatya
Attachment: "view.link.index.image.phpV23.sexHdg21.pif"
ADAOIU
OEIE
Sender: .
Subject: eE-Kort!
Attachment: "link.ekort.index.phpV7ab4.kort.pif"
Mit hjerte banker for dig!
Sender: Marica
Subject: eEcard!
Attachment: "link.showcard.index.phpAv23.ritm.pif"
De cand te-am cunoscut inima mea are un nou ritm!
Sender: Anna
Subject: eE-vykort!
Attachment: "link.vykort.showcard.index.phpBn23.pif"
Till min Alskade...
Sender: Erica
Subject: eE-Postkort!
Attachment: "link.postkort.showcard.index.phpAe67.pif"
Vakre roser jeg sammenligner med deg...
Sender: Katarina
Subject: eE-postikorti!
Attachment: "link.postikorti.showcard.index.phpGz42.pif"
Iloista kesaa!
Sender: Magdolina
Subject: eAtviruka!
Attachment: "link.atviruka.showcard.index.phpGz42.pif"
Linksmo gimtadieno!
Sender: Beate
Subject: eE-Kartki!
Attachment: "link.kartki.showcard.index.phpVg42.pif"
W Dniu imienin...
Sender: @
Subject: eCartoe Virtuais!
Attachment: "link.cartoe.viewcard.index.phpYj39.pif"
Te amo...
Sender: Alice
Subject: eFlashcard fuer Dich!
Attachment: "link.flashcard.de.viewcard34.php.2672aB.pif"
Hallo!
hat dir eine elektronische Flashcard geschickt.
Um die Flashcard ansehen zu koennen, benutze in deinem Browser
einfach den nun folgenden link:
http://flashcard.de/interaktiv/viewcards/view.php3?card=267BSwr34
Viel Spass beim Lesen wuenscht Ihnen ihr...
Sender:
Subject: eEr staat een eCard voor u klaar!
Attachment: "postkaarten.nl.link.viewcard.index.phpG4a62.pif"
Hallo!
heeft u een eCard gestuurd via de website nederlandse
taal in het basisonderwijs...
U kunt de kaart ophalen door de volgende url aan te klikken of te
kopiren in uw browser link:
http://postkaarten.nl/viewcard.show53.index=04abD1
Met vriendelijke groet,
De redactie taalsite primair onderwijs...
Sender: Hanka
Subject: eElektronicka pohlednice!
Attachment: "link.seznam.cz.pohlednice.index.php2Avf3.pif"
Ahoj!
Elektronick pohlednice ze serveru http://www.seznam.cz
Sender: Claudine
Subject: eE-carte!
Attachment: "link.zdnet.fr.ecarte.index.php34b31.pif"
vous a envoye une E-carte partir du site zdnet.fr
Vous la trouverez, l'adresse suivante link:
http://zdnet.fr/showcard.index.php34bs42
www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web
en 5 minutes, du dialogue en direct...
Sender: Francesca
Subject: eTi e stata inviata una Cartolina Virtuale!
Attachment: "link.cartoline.it.viewcard.index.4g345a.pif"
Ciao!
ha visitato il nostro sito, cartolina.it e ha creato una
cartolina virtuale per te! Per vederla devi fare click
sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a
Attenzione, la cartolina sara visibile sui nostri server per
2 giorni e poi verra rimossa automaticamente.
Sender: Jennifer
Subject: eYou`ve got 1 VoiceMessage!
Attachment: "link.voicemessage.com.listen.index.php1Ab2c.pif"
Dear Customer!
You`ve got 1 VoiceMessage from voicemessage.com website!
You can listen your Virtual VoiceMessage at the following link:
http://virt.voicemessage.com/index.listen.php2=35affv
or by clicking the attached link.
Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).
Szia!
Aranyos vagy, jó volt dumcsizni veled a neten!
Remélem tetszem, és szeretném ha te is küldenél képet
magadról, addig is csók:
Sender: Jennifer
Subject: eDon`t worry, be happy!
Attachment: "www.ecard.com.funny.picture.index.nude.php356.pif"
Hi Honey!
I`m in hurry, but i still love ya...
(as you can see on the picture)
Bye - Bye:
Sender: David
Subject: eCheck this out kid!!!
Attachment: "jennifer the wild girl xxx07.jpg.pif"
Send me back bro, when you`ll be done...(if you know what i mean...)
See ya,
In rare cases the email will have an attachment with the name
'Surprise' and extension '.com', '.exe' or '.pif'.
The worm does not send emails to addresses that contain any of these
strings:
win
use
info
help
admi
webm
micro
msn
hotm
suppor
syma
vir
trend
panda
yaho
cafee
sopho
google
kasper
Payload
Zafi.B terminates any application that has the words 'firewall' or 'virus'
in it. These files are overwritten with a copy of the worm.
Several Windows tools, like Task Manager, Registry Editor are disabled
when the worm is active. Zafi.B opens these files with exclusive locking
to prevent anything else from opening them.
Detection for this malware was published on June 11th, 2004
in the following F-Secure Anti-Virus updates:
[FSAV_Database_Version]
Version=2004-06-11_01
Description:
Katrin Tocheva, June 11th, 2004;
Technical Details:
Gergely Erdelyi, June 11-12th, 2004;
Description Updated:
Alexey Podrezov, June 15th, 2004;
F-Secure Corporation
|
