F-Secure Virus Descriptions : Zafi.D

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "Wxp4" = "%System%\Norton Update.exe"

Zafi.D creates a mutex named "Wxp4" for making sure that only one copy of the worm is run at the same time.

Several additional files are created in the System Directory with random name and .DLL extension. The worm keeps its internal data in those.

Zafi.D enumerates all the directories in the system and copies itself as either 'winamp 5.7 new!.exe' or 'ICQ 2005a new!.exe' to the ones that contain 'share', 'upload' or 'music' in their name.

Email Propagation

Zafi.D looks into the Windows Address Book and different files and tries to gather email addresses. Files with the following extensions are checked:

 htm
 wab
 txt
 dbx
 tbb
 asp
 php
 sht
 adb
 mbx
 eml
 pmr
 fpt
 inb

Using its own SMTP engine the worm sends messages with infected attachments in many different languages. It can use different SMTP relays for sending its messages depending on the language.

For email addresses in the following domains the worms sends messages in the respective languages:

 .hu .sp .ru .dk .ro .se .no .fi .lt .pl .pt .de .nl .cz .fr .it .mx .at .es

The message is a simple christmas wish. Following text is an example of english message:

 Sender: Pamela M.
 Subject: Merry Christmas!
 Happy HollyDays!
 :) [Sender]

Sender name is used as a fallback if the email address doesn't have it. Other language versions are as follows

 Sender: T. Maria
 Subject: boldog karacsony...
 Kellemes Unnepeket!
 :) [Sender]

 Sender: N. Fernandez
 Subject: Feliz Navidad!
 Feliz Navidad!
 :) [Sender]

 Sender: V. Tatyana
 Subject: ecard.ru
 :) [Sender]

 Sender: V. Jensen
 Subject: Christmas Kort!
 Glaedelig Jul!
 :) [Sender]

 Sender: J. Andersson
 Subject: Christmas Vykort!
 God Jul!
 :) [Sender]

 Sender: M. Emma
 Subject: Christmas Postkort!
 God Jul!
 :) [Sender]

 Sender: M. Virtanen
 Subject: Christmas postikorti!
 Iloista Joulua!
 :) [Sender]

 Sender: C. Lina
 Subject: Christmas Atviruka!
 Naulieji Metai!
 :) [Sender]

 Sender: S. Ewa
 Subject: Christmas - Kartki!
 Wesolych Swiat!
 :) [Sender]

 Sender: H. Irene
 Subject: Weihnachten card.
 Fröhliche Weihnachten!
 :) [Sender]

 Sender: R. Cornel
 Subject: Prettige Kerstdagen!
 Prettige Kerstdagen!
 :) [Sender]

 Sender: V. Dusan
 Subject: Christmas pohlednice
 Veselé Vánoce!
 :) [Sender]

 Sender: J. Martin
 Subject: Joyeux Noel!
 Joyeux Noel!
 :) [Sender]

 Sender: T. Antonio
 Subject: Buon Natale!
 Buon Natale!
 :) [Sender]

The worm includes a small visible gif attachement in the messages.

The actual worm attachment name is composed of several parts: word "postcard" in the respective language, random numbers and some of the extensions .pif, .cmd, .bat, .com or .zip. Sometimes the filename can start with "link", "christmas" or "index".

Here's a screenshot of english message:

The worm does not send emails to addresses that contain any of these strings:

 yaho
 google
 win
 use
 info
 help
 admi
 webm
 micro
 msn
 hotm
 suppor
 syman
 viru
 trend
 secur
 panda
 cafee
 sopho
 kasper

Payload

Zafi.D terminates any application that has the words 'firewall' or 'virus' in it. These files are overwritten with a copy of the worm.

Several Windows tools, like Task Manager, Registry Editor are disabled when the worm is active. Zafi.D opens these files with exclusive locking to prevent anything else from opening them.

Zafi.D has a backdoor that listens on port 8181. The worm can upload and execute file using the backdoor.

Back to the Top

Detection

Detection for this malware was published on Dec 14th, 2004 in the following F-Secure Anti-Virus updates:

[FSAV_Database_Version]

Version=2004-12-14_02

Back to the Top

Technical Details: Jarkko Turkulainen, Gergely Erdelyi Dec 14th, 2004;

F-Secure Corporation