Zafi.B

Summary

A new variant of Zafi worm - Zafi.B is spreading. While the original Zafi.A uses only Hungarian, the new Zafi.B spreads in email in English, Italian, Spanish, Russian, Swedish etc.The worm sends itself in emails mostly as .pif attachment and in rare cases it sends .exe or .com.

Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

• Eliminating a Local Network Outbreak

Technical Details

Zafi.B spreads in FSG! packed form which is 12800 bytes in size. The body unpacks to around 30 KiB of hand-written assembly code.

System Infection

When Zafi.B is started it copies itself to the Windows System Directory with a random .DLL and random .EXE name. The .EXE file is added to the registry as

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "_Hazafibb" = "%SysDir%\<random>.exe"
  

Several additional files are created in the System Directory with random name and .DLL extension. The worm keeps its internal data in those.

Zafi.B enumerates all the directories in the system and copies itself as either 'winamp 7.0 full_install.exe' or 'Total Commander 7.0 full_install.exe' to the ones that contain 'share' or 'upload' in their name.

Email Propagation

Zafi.B looks into the Windows Address Book and different files and tries to gather email addresses. Files with the following extensions are checked:

htm
 wab
 txt
 dbx
 tbb
 asp
 php
 sht
 adb
 mbx
 eml
 pmr

Using its own SMTP engine the worm sends messages with infected attachments in many different languages.

For email addresses in the following domains the worms sends messages in the respective languages:

.hu .sp .ru .dk .ro .se .no .fi .lt .pl .pt .de .nl .cz .fr .it .mx .at
 

For Hungarian recipients there are three different messages. Any recipient that is not on the list (including .COM, .NET, etc.) is sent one of the three predefined English messages.

Sender: Anita
 Subject: eIngyen SMS!
 Attachment: "regiszt.php?3124freesms.index777.pif"
 ------------------------ hirdet©s -----------------------------
 A sikeres 777sms.hu es az axelero.hu timogatisival ºjra
 indul az ingyenes sms k¼ld? szolgiltatis! Jelenleg ugyan
 korlitozott szimban, napi 20 ingyen smst lehet felhasznilni.
 K¼ldj te is SMST! Nehiny kattintis es a mellekelt regisztricios
 lap kit¶ltese utin azonnal igenybevehet?! B?vebb informiciot
 a www.777sms.hu oldalon talilsz, de siess, mert az els? ezer
 felhasznilo k¶z¶tt ertekes nyeremenyeket sorsolunk ki!
 ------------------------ axelero.hu ---------------------------
 Sender: Anita
 Subject: eTessek mosolyogni!!!
 Attachment: "meztelen csajok fociznak.flash.jpg.pif"
 Ha ez a kep sem tud felviditani, akkor feladom!
 Sok puszi:
 Sender: Anita
 Subject: eSoxor Csok!
 Attachment: "anita.image043.jpg.pif"
 Sender: Claudia
 Subject: eImportante!
 Attachment: "link.informacion.phpV23.text.message.pif"
 Informacion importante que debes conocer, -
 Sender: Katya
 Subject: oKatya
 Attachment: "view.link.index.image.phpV23.sexHdg21.pif"
 ADAOIU
  OEIE
 Sender: .
 Subject: eE-Kort!
 Attachment: "link.ekort.index.phpV7ab4.kort.pif"
 Mit hjerte banker for dig!
 Sender: Marica
 Subject: eEcard!
 Attachment: "link.showcard.index.phpAv23.ritm.pif"
 De cand te-am cunoscut inima mea are un nou ritm!
 Sender: Anna
 Subject: eE-vykort!
 Attachment: "link.vykort.showcard.index.phpBn23.pif"
 Till min Alskade...
 Sender: Erica
 Subject: eE-Postkort!
 Attachment: "link.postkort.showcard.index.phpAe67.pif"
 Vakre roser jeg sammenligner med deg...
 Sender: Katarina
 Subject: eE-postikorti!
 Attachment: "link.postikorti.showcard.index.phpGz42.pif"
 Iloista kesaa!
 Sender: Magdolina
 Subject: eAtviruka!
 Attachment: "link.atviruka.showcard.index.phpGz42.pif"
 Linksmo gimtadieno!
 Sender: Beate
 Subject: eE-Kartki!
 Attachment: "link.kartki.showcard.index.phpVg42.pif"
 W Dniu imienin...
 Sender: @
 Subject: eCartoe Virtuais!
 Attachment: "link.cartoe.viewcard.index.phpYj39.pif"
 Te amo...
 Sender: Alice
 Subject: eFlashcard fuer Dich!
 Attachment: "link.flashcard.de.viewcard34.php.2672aB.pif"
 Hallo!
 hat dir eine elektronische Flashcard geschickt.
 Um die Flashcard ansehen zu koennen, benutze in deinem Browser
 einfach den nun folgenden link:
 http://flashcard.de/interaktiv/viewcards/view.php3?card=267BSwr34
 Viel Spass beim Lesen wuenscht Ihnen ihr...
 Sender:
 Subject: eEr staat een eCard voor u klaar!
 Attachment: "postkaarten.nl.link.viewcard.index.phpG4a62.pif"
 Hallo!
 heeft u een eCard gestuurd via de website nederlandse
 taal in het basisonderwijs...
 U kunt de kaart ophalen door de volgende url aan te klikken of te
 kopiren in uw browser link:
 http://postkaarten.nl/viewcard.show53.index=04abD1
 Met vriendelijke groet,
 De redactie taalsite primair onderwijs...
 Sender: Hanka
 Subject: eElektronicka pohlednice!
 Attachment: "link.seznam.cz.pohlednice.index.php2Avf3.pif"
 Ahoj!
 Elektronick pohlednice ze serveru http://www.seznam.cz
 Sender: Claudine
 Subject: eE-carte!
 Attachment: "link.zdnet.fr.ecarte.index.php34b31.pif"
 vous a envoye une E-carte partir du site zdnet.fr
 Vous la trouverez, l'adresse suivante link:
 http://zdnet.fr/showcard.index.php34bs42
 www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web
 en 5 minutes, du dialogue en direct...
 Sender: Francesca
 Subject: eTi e stata inviata una Cartolina Virtuale!
 Attachment: "link.cartoline.it.viewcard.index.4g345a.pif"
 Ciao!
 ha visitato il nostro sito, cartolina.it e ha creato una
 cartolina virtuale per te! Per vederla devi fare click
 sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a
 Attenzione, la cartolina sara visibile sui nostri server per
 2 giorni e poi verra rimossa automaticamente.
 Sender: Jennifer
 Subject: eYou`ve got 1 VoiceMessage!
 Attachment: "link.voicemessage.com.listen.index.php1Ab2c.pif"
 Dear Customer!
 You`ve got 1 VoiceMessage from voicemessage.com website!
 You can listen your Virtual VoiceMessage at the following link:
 http://virt.voicemessage.com/index.listen.php2=35affv
 or by clicking the attached link.
 Send VoiceMessage! Try our new virtual VoiceMessage Empire!
 Best regards: SNAF.Team (R).
 Szia!
 Aranyos vagy, jo volt dumcsizni veled a neten!
 Remelem tetszem, es szeretnem ha te is k¼ldenel kepet
 magadrol, addig is csok:
 Sender: Jennifer
 Subject: eDon`t worry, be happy!
 Attachment: "www.ecard.com.funny.picture.index.nude.php356.pif"
 Hi Honey!
 I`m in hurry, but i still love ya...
 (as you can see on the picture)
 Bye - Bye:
 Sender: David
 Subject: eCheck this out kid!!!
 Attachment: "jennifer the wild girl xxx07.jpg.pif"
 Send me back bro, when you`ll be done...(if you know what i mean...)
 See ya,
 

In rare cases the email will have an attachment with the name 'Surprise' and extension '.com', '.exe' or '.pif'.The worm does not send emails to addresses that contain any of these strings:

win
 use
 info
 help
 admi
 webm
 micro
 msn
 hotm
 suppor
 syma
 vir
 trend
 panda
 yaho
 cafee
 sopho
 google
 kasper
 

Payload

Zafi.B terminates any application that has the words 'firewall' or 'virus' in it. These files are overwritten with a copy of the worm.

Several Windows tools, like Task Manager, Registry Editor are disabled when the worm is active. Zafi.B opens these files with exclusive locking to prevent anything else from opening them.