Zar.A is a simple massmailer that attempts to spread on emails with subject "Tsunami Donation! Please help!".
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
More scanning & removal options
More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
When run, Zar.A makes three copies of itself with the following names:
where %WinDir% is Windows folder, for example 'C:\Windows\' on a default installation of Windows XP. The "crssr.exe" file is added to the registry key
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CaptionMgr32" = "%systemroot%\crssr.exe"
As %systemroot% usually refers to same directory as %Windir%, this registry key ensures that the worm is run at every system startup.
Zar.A tries to find addresses from Microsoft Outlook address book. It uses the MAPI functions for sending infected messages for each of the addresses found in the address book.
The message is composed of subject
"Tsunami Donation! Please help!"
and message body text
"Please help us with your donation and view the attachment below! We need you!"
The worm attaches itself in messages using filename "tsunami.exe".
Zar.A attempts a Denial Of Serice attack against www.hacksector.de by issuing ICMP echo messages (ping) with huge payload.
It can also display a fake error message saying
"Fatal Error: Couldn't initialize setup (CRC)"
Description Created: 2006-01-01 14:42:05.0
Description Last Modified: 2006-01-01 00:00:00.0