CA  SOLUTIONS    SUPPORT    NEWS    EVENTS    ABOUT CA    INVESTORS    WORLDWIDE    BUY
Virus Information Center

  Virus Information Center   
 

Win32.Zafi.B

 

Description Published: Friday, June 11, 2004
Description Modified: Monday, November 15, 2004

 
 
Threat Assessment
Overall Risk:  Low

Low
Wild:  Low

Low
Destructiveness:  Low

Low
Pervasiveness:  High

High
Characteristics

Type: Worm
Category: Win32
Also known as W32.Erkez.B@mm (Symantec), Win32/Zafi.B (Eset), I-Worm.Zafi.b (Kaspersky), Win32/Zafi.B.Worm, W32/Zafi.B@MM (McAfee)

Immediate Protection Info
eTrust Antivirus 6x/v7* (InoculateIT Engine)23.65.39View Removal Instructions
eTrust Antivirus 6x/v7* (Vet Engine)11.x/8392View Removal Instructions
eTrust EZ Antivirus 6.1x6.1x/5527View Removal Instructions
eTrust EZ Antivirus 6.2x6.2x/8392View Removal Instructions
Inoculan/InoculateIT 4.x47.40View Removal Instructions
Vet Anti-Virus 10.5x10.5x/5527View Removal Instructions
Vet Anti-Virus 10.6x10.6x/8392View Removal Instructions

* Includes updates for InoculateIT and eTrust InoculateIT 6.0.
Download Signature Files Download Signature Files
Scan For Viruses Scan For Viruses
Cleaning Utilities Cleaning Utilities
Submit a Virus Sample Submit a Virus Sample

Description
Win32.Zafi.B is a worm that spreads via e-mail using several different languages, including English, Hungarian and Russian. It is a 12,800-byte, FSG-packed Win32 executable.

Method of Infection

When executed, the worm makes two copies of itself in the %System% directory with randomly generated file names. One has the extension .exe and the other .dll. For example:

C:\WINDOWS\System32\PIVUJDSU.EXE
C:\WINDOWS\System32\FRUPKUPX.DLL

It creates this registry value to execute the worm each time Windows starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\_Hazafibb = "%System%\<worm_executable>"

Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

The worm creates a mutex "_Hazafibb" to avoid running multiple instances of itself on the affected system.

Return to top


Method of Distribution

Via E-mail

Zafi.B sends itself to e-mail addresses collected from the affected machine.  It harvests e-mail addresses from files with extension htm, wab, txt, dbx, tbb, asp, php, sht, adb, mbx, eml or pmr on local fixed drives C, D, E, F, G and H.

When searching these files, it ignores addresses containing any of these strings:

win
use
info
help
admi
webm
micro
msn
hotm
suppor
syma
vir
trend
panda
yaho
cafee
sopho
google
kasper

It also searches the Windows Address Book (WAB) file, which it finds by checking this registry value:

HKCU\Software\Microsoft\WAB\WAB4\Wab File Name\(Default)

It creates five files in the %System% directory to store these addresses in. These files have randomly-generated names and the extension ".DLL".

E.g. "C:\WINDOWS\System32\gcwaaaaq.dll"

The worm uses its own SMTP engine to send e-mails.  It carries several templates in different languages to format e-mails.  The attachment has extension ".PIF", ".EXE" or ".COM".

Please see below for examples of e-mail generated by the worm:

Via Network Share

The worm copies itself to directories with "share" or "upload" in the directory name, assuming these directories are network shares, using these filenames:

winamp 7.0 full_install.exe
Total Commander 7.0 full_install.exe

Return to top

Payload

Denies Application Execution

Zafi.B prevents the user from using applications that contain the strings "regedit" "msconfig" and "task" in the filename.

Denial Of Service Attack

The worm constantly sends empty get requests to the following web sites:

'www.parlament.hu'
'www.virusbuster.hu'
'www.virushirado.hu'
'www.2f.hu'

Return to top

Additional Information

The worm creates this registry key to keep track of its state:

HKLM\Software\Microsoft\_Hazafibb

The worm stores the folloiwng information under this key:

  • the name of the infected system's registered owner
  • default mail account
  • local host IP address
  • full paths to the worm's executable file and data files (with random names)
  • full path to applications it intended to block access.

When run, the worm may also open the default browser and load a page chosen at random from those previously typed into Internet Explorer.

Analysis by Sha-Li Hsieh

Return to top

How valuable was this information? Not at all   Extremely
  Submit  
Contact     Legal Notice     Privacy Policy     Site Map
Copyright © 2006 CA. All rights reserved.
CA Internet home