Zafi.B

Threat description

Details

CATEGORYMalware
TYPEEmail-Worm

Summary

A new variant of Zafi worm - Zafi.B is spreading. While the original Zafi.A uses only Hungarian, the new Zafi.B spreads in email in English, Italian, Spanish, Russian, Swedish etc.The worm sends itself in emails mostly as .pif attachment and in rare cases it sends .exe or .com.

Removal

Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

Technical Details

Zafi.B spreads in FSG! packed form which is 12800 bytes in size. The body unpacks to around 30 KiB of hand-written assembly code.

System Infection

When Zafi.B is started it copies itself to the Windows System Directory with a random .DLL and random .EXE name. The .EXE file is added to the registry as

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]   "_Hazafibb" = "%SysDir%\.exe"    

Several additional files are created in the System Directory with random name and .DLL extension. The worm keeps its internal data in those.

Zafi.B enumerates all the directories in the system and copies itself as either 'winamp 7.0 full_install.exe' or 'Total Commander 7.0 full_install.exe' to the ones that contain 'share' or 'upload' in their name.

Email Propagation

Zafi.B looks into the Windows Address Book and different files and tries to gather email addresses. Files with the following extensions are checked:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "_Hazafibb" = "%SysDir%\.exe"

Using its own SMTP engine the worm sends messages with infected attachments in many different languages.

For email addresses in the following domains the worms sends messages in the respective languages:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "_Hazafibb" = "%SysDir%\.exe"

For Hungarian recipients there are three different messages. Any recipient that is not on the list (including .COM, .NET, etc.) is sent one of the three predefined English messages.

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "_Hazafibb" = "%SysDir%\.exe"

In rare cases the email will have an attachment with the name 'Surprise' and extension '.com', '.exe' or '.pif'.The worm does not send emails to addresses that contain any of these strings:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "_Hazafibb" = "%SysDir%\.exe"

Payload

Zafi.B terminates any application that has the words 'firewall' or 'virus' in it. These files are overwritten with a copy of the worm.

Several Windows tools, like Task Manager, Registry Editor are disabled when the worm is active. Zafi.B opens these files with exclusive locking to prevent anything else from opening them.

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info