Win32/Zafi.D
Created: 2006-07-19,
19:28:15
Last updated on: 2010-11-26,
09:32:34
Compressor:
FSG
Endangered operating system(s):
Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000
all...
, Windows Server 2003
, Windows XP
back...
Non-endangered operating system(s):
Windows 3.xx, DOS, Linux, Unix, Solaris
all...
, MacOS
, Mac OS X
, OS2
back...
Naming
Avast
|
Win32:Zafi-J
|
AVG
|
I-Worm/Zafi.D
|
BitDefender
|
Win32.Zafi.D@mm
|
e-Trust
|
Win32/Zafi.D
|
F-PROT
|
W32/EmailWorm.OQI
|
F-Secure
|
Email-Worm.Win32.Zafi.d
|
Ikarus
|
Email-Worm.Win32.Zafi.D
|
Kaspersky
|
Email-Worm.Win32.Zafi.d
|
McAfee
|
W32/Zafi.d@MM(Virus)
|
Microsoft
|
Win32/Zafi.D@mm
|
NOD32 (ESET)
|
Win32/Zafi.D
|
Norton Antivirus
|
W32.Erkez.D@mm
|
Panda
|
W32/Zafi.D.worm
|
Rising Antivirus
|
Worm.Zafi.d
|
Sophos
|
W32/Zafi-D
|
Trend Micro
|
WORM_ZAFI.AC
|
VirusBuster
|
I-Worm.Zafi.D
|
Installation
The worm
displays the following window during the installation of its code:
The worm
creates the following files:
In the Windows System32 folder (default: C:\Windows\System32):
Norton Update.exe
In the Windows System32 folder (default: C:\Windows\System32) véletlenszerűen generált névvel, melyek kiterjesztése:
.dll
In the Windows System32 folder (default: C:\Windows\System32) with random names using the
.dll extension.
In the root folder of the drive(s):
s.cm
In share folders:
- winamp 5.7 new!.exe
- ICQ 2005a new!.exe
- winamp 5.7 new!.exe
- ICQ 2005a new!.exe
Win32/Zafi.D worm
creates the following entries in the registry or modifies it (if it exists already):
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wxp4"="C:\WINDOWS\System32\Norton Update.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wxp4] "t3"="C:\WINDOWS\System32\Norton Update.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wxp4"="C:\WINDOWS\System32\Norton Update.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wxp4] "t3"="C:\WINDOWS\System32\Norton Update.exe"
Win32/Zafi.D worm
creates randomly generated entries under the
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wxp4]
key.
Win32/Zafi.D worm
creates the
Wxp4
mutex.
Win32/Zafi.D worm
stops processes whose names include one of the following strings:
- firewall
- virus
- reged
- msconfig
- task
- firewall
- virus
- reged
- msconfig
- task
E-mail messages
Win32/Zafi.D worm
in order to spread creates ANSI format e-mail messages and forwards its own code.
Win32/Zafi.D worm
searches for e-mail addresses in the files with one of the following extensions:
- htm
- wab
- txt
- dbx
- tbb
- asp
- php
- sht
- adb
- mbx
- eml
- pmr
- fpt
- inb
-
less...
Win32/Zafi.D worm
can create e-mail messages with different characteristics.
This is usually used for worms to send e-mails in different languages to different regions (domains).
The characteristics of the e-mail messages are the following:
in case of
.hu
domain (details...)
Sender |
The sender address of the infected e-mail is the same as the e-mail address belonging to the infected computer´s e-mail client.
|
Addressee |
The worm
sends the e-mail messages to the collected addresses.
The worm
does not send infected email messages to the addresses containing one of the following strings:
- yaho
- google
- win
- use
- info
- help
- admi
- ebm
- micro
- msn
- hotm
- suppor
- syman
- viru
- trend
- secur
- panda
- cafee
- sopho
- kasper
-
less...
|
Subject |
The subject of the infected e-mail messages is:
boldog karacsony...
|
Attachment |
The file extension of the attachment of the e-mail message sent by the worm
can be one of the following:
|
Text |
The text of the e-mail message is:
Kellemes Ünnepeket!
|
in case of
.nl
domain (details...)
Sender |
The sender address of the infected e-mail is the same as the e-mail address belonging to the infected computer´s e-mail client.
|
Addressee |
The worm
sends the e-mail messages to the collected addresses.
The worm
does not send infected email messages to the addresses containing one of the following strings:
- yaho
- google
- win
- use
- info
- help
- admi
- ebm
- micro
- msn
- hotm
- suppor
- syman
- viru
- trend
- secur
- panda
- cafee
- sopho
- kasper
-
less...
|
Subject |
The subject of the infected e-mail messages is:
Prettige Kerstdagen!
|
Attachment |
The attachment of the infected e-mail message sent by the worm
is
#####.KERSTDAGEN.#####
.
The file extension of the attachment of the e-mail message sent by the worm
can be one of the following:
|
Text |
The text of the e-mail message is:
Prettige Kerstdagen!
|
in case of
.cz
domain (details...)
Sender |
The sender address of the infected e-mail is the same as the e-mail address belonging to the infected computer´s e-mail client.
|
Addressee |
The worm
sends the e-mail messages to the collected addresses.
The worm
does not send infected email messages to the addresses containing one of the following strings:
- yaho
- google
- win
- use
- info
- help
- admi
- ebm
- micro
- msn
- hotm
- suppor
- syman
- viru
- trend
- secur
- panda
- cafee
- sopho
- kasper
-
less...
|
Subject |
The subject of the infected e-mail messages is:
Christmas pohlednice
|
Attachment |
The attachment of the infected e-mail message sent by the worm
is
#####.POHLEDNICE.#####
.
The file extension of the attachment of the e-mail message sent by the worm
can be one of the following:
|
Text |
The text of the e-mail message is:
Veselé Vánoce!
|
in case of
.fr
domain (details...)
Sender |
The sender address of the infected e-mail is the same as the e-mail address belonging to the infected computer´s e-mail client.
|
Addressee |
The worm
sends the e-mail messages to the collected addresses.
The worm
does not send infected email messages to the addresses containing one of the following strings:
- yaho
- google
- win
- use
- info
- help
- admi
- ebm
- micro
- msn
- hotm
- suppor
- syman
- viru
- trend
- secur
- panda
- cafee
- sopho
- kasper
-
less...
|
Subject |
The subject of the infected e-mail messages is:
Joyeux Noel!
|
Attachment |
The attachment of the infected e-mail message sent by the worm
is
#####.ECARTE.#####
.
The file extension of the attachment of the e-mail message sent by the worm
can be one of the following:
|
Text |
The text of the e-mail message is:
Joyeux Noel!
|
in case of
.it
domain (details...)
Sender |
The sender address of the infected e-mail is the same as the e-mail address belonging to the infected computer´s e-mail client.
|
Addressee |
The worm
sends the e-mail messages to the collected addresses.
The worm
does not send infected email messages to the addresses containing one of the following strings:
- yaho
- google
- win
- use
- info
- help
- admi
- ebm
- micro
- msn
- hotm
- suppor
- syman
- viru
- trend
- secur
- panda
- cafee
- sopho
- kasper
-
less...
|
Subject |
The subject of the infected e-mail messages is:
Buon Natale!
|
Attachment |
The attachment of the infected e-mail message sent by the worm
is
#####.CARTOLINE.#####
.
The file extension of the attachment of the e-mail message sent by the worm
can be one of the following:
|
Text |
The text of the e-mail message is:
Buon Natale!
|
in case of
.ru
domain (details...)
Sender |
The sender address of the infected e-mail is the same as the e-mail address belonging to the infected computer´s e-mail client.
|
Addressee |
The worm
sends the e-mail messages to the collected addresses.
The worm
does not send infected email messages to the addresses containing one of the following strings:
- yaho
- google
- win
- use
- info
- help
- admi
- ebm
- micro
- msn
- hotm
- suppor
- syman
- viru
- trend
- secur
- panda
- cafee
- sopho
- kasper
-
less...
|
Subject |
The subject of the infected e-mail messages is:
ecard.ru
|
Attachment |
The attachment of the infected e-mail message sent by the worm
is
#####.CARD.#####
.
The file extension of the attachment of the e-mail message sent by the worm
can be one of the following:
|
in case of
.es, .mx
domains (details...)
Sender |
The sender address of the infected e-mail is the same as the e-mail address belonging to the infected computer´s e-mail client.
|
Addressee |
The worm
sends the e-mail messages to the collected addresses.
The worm
does not send infected email messages to the addresses containing one of the following strings:
- yaho
- google
- win
- use
- info
- help
- admi
- ebm
- micro
- msn
- hotm
- suppor
- syman
- viru
- trend
- secur
- panda
- cafee
- sopho
- kasper
-
less...
|
Subject |
The subject of the infected e-mail messages is:
Feliz Navidad!
|
Attachment |
The attachment of the infected e-mail message sent by the worm
is
#####.NAVIDAD.#####
.
The file extension of the attachment of the e-mail message sent by the worm
can be one of the following:
|
Text |
The text of the e-mail message is:
Feliz Navidad!
|
in case of
.dk
domain (details...)
Sender |
The sender address of the infected e-mail is the same as the e-mail address belonging to the infected computer´s e-mail client.
|
Addressee |
The worm
sends the e-mail messages to the collected addresses.
The worm
does not send infected email messages to the addresses containing one of the following strings:
- yaho
- google
- win
- use
- info
- help
- admi
- ebm
- micro
- msn
- hotm
- suppor
- syman
- viru
- trend
- secur
- panda
- cafee
- sopho
- kasper
-
less...
|
Subject |
The subject of the infected e-mail messages is:
Christmas Kort!
|
Attachment |
The attachment of the infected e-mail message sent by the worm
is
#####.EKORT.#####
.
The file extension of the attachment of the e-mail message sent by the worm
can be one of the following:
|
Text |
The text of the e-mail message is:
Glaedelig Jul!
|
in case of
.se
domain (details...)
Sender |
The sender address of the infected e-mail is the same as the e-mail address belonging to the infected computer´s e-mail client.
|
Addressee |
The worm
sends the e-mail messages to the collected addresses.
The worm
does not send infected email messages to the addresses containing one of the following strings:
- yaho
- google
- win
- use
- info
- help
- admi
- ebm
- micro
- msn
- hotm
- suppor
- syman
- viru
- trend
- secur
- panda
- cafee
- sopho
- kasper
-
less...
|
Subject |
The subject of the infected e-mail messages is:
Christmas Vykort!
|
Attachment |
The attachment of the infected e-mail message sent by the worm
is
#####.VYKORT.#####
.
The file extension of the attachment of the e-mail message sent by the worm
can be one of the following:
|
Text |
The text of the e-mail message is:
God Jul!
|
in case of
.no
domain (details...)
Sender |
The sender address of the infected e-mail is the same as the e-mail address belonging to the infected computer´s e-mail client.
|
Addressee |
The worm
sends the e-mail messages to the collected addresses.
The worm
does not send infected email messages to the addresses containing one of the following strings:
- yaho
- google
- win
- use
- info
- help
- admi
- ebm
- micro
- msn
- hotm
- suppor
- syman
- viru
- trend
- secur
- panda
- cafee
- sopho
- kasper
-
less...
|
Subject |
The subject of the infected e-mail messages is:
Christmas Postkort!
|
Attachment |
The attachment of the infected e-mail message sent by the worm
is
#####.POSTKORT.#####
.
The file extension of the attachment of the e-mail message sent by the worm
can be one of the following:
|
Text |
The text of the e-mail message is:
God Jul!
|
in case of
.fi
domain (details...)
Sender |
The sender address of the infected e-mail is the same as the e-mail address belonging to the infected computer´s e-mail client.
|
Addressee |
The worm
sends the e-mail messages to the collected addresses.
The worm
does not send infected email messages to the addresses containing one of the following strings:
- yaho
- google
- win
- use
- info
- help
- admi
- ebm
- micro
- msn
- hotm
- suppor
- syman
- viru
- trend
- secur
- panda
- cafee
- sopho
- kasper
-
less...
|
Subject |
The subject of the infected e-mail messages is:
Christmas postikorti!
|
Attachment |
The attachment of the infected e-mail message sent by the worm
is
#####.POSTIKORTI.#####
.
The file extension of the attachment of the e-mail message sent by the worm
can be one of the following:
|
Text |
The text of the e-mail message is:
Iloista Joulua!
|
in case of
.lt
domain (details...)
Sender |
The sender address of the infected e-mail is the same as the e-mail address belonging to the infected computer´s e-mail client.
|
Addressee |
The worm
sends the e-mail messages to the collected addresses.
The worm
does not send infected email messages to the addresses containing one of the following strings:
- yaho
- google
- win
- use
- info
- help
- admi
- ebm
- micro
- msn
- hotm
- suppor
- syman
- viru
- trend
- secur
- panda
- cafee
- sopho
- kasper
-
less...
|
Subject |
The subject of the infected e-mail messages is:
Christmas Atviruka!
|
Attachment |
The attachment of the infected e-mail message sent by the worm
is
#####.ATVIRUKA.#####
.
The file extension of the attachment of the e-mail message sent by the worm
can be one of the following:
|
Text |
The text of the e-mail message is:
Naujieji Metai!
|
in case of
.pl
domain (details...)
Sender |
The sender address of the infected e-mail is the same as the e-mail address belonging to the infected computer´s e-mail client.
|
Addressee |
The worm
sends the e-mail messages to the collected addresses.
The worm
does not send infected email messages to the addresses containing one of the following strings:
- yaho
- google
- win
- use
- info
- help
- admi
- ebm
- micro
- msn
- hotm
- suppor
- syman
- viru
- trend
- secur
- panda
- cafee
- sopho
- kasper
-
less...
|
Subject |
The subject of the infected e-mail messages is:
Christmas - Kartki!
|
Attachment |
The attachment of the infected e-mail message sent by the worm
is
#####.KARTKI.#####
.
The file extension of the attachment of the e-mail message sent by the worm
can be one of the following:
|
Text |
The text of the e-mail message is:
Wesolych Swiat!
|
in case of
.de, .at
domains (details...)
Sender |
The sender address of the infected e-mail is the same as the e-mail address belonging to the infected computer´s e-mail client.
|
Addressee |
The worm
sends the e-mail messages to the collected addresses.
The worm
does not send infected email messages to the addresses containing one of the following strings:
- yaho
- google
- win
- use
- info
- help
- admi
- ebm
- micro
- msn
- hotm
- suppor
- syman
- viru
- trend
- secur
- panda
- cafee
- sopho
- kasper
-
less...
|
Subject |
The subject of the infected e-mail messages is:
Weihnachten card.
|
Attachment |
The attachment of the infected e-mail message sent by the worm
is
#####.WEIHNACHTEN.#####
.
The file extension of the attachment of the e-mail message sent by the worm
can be one of the following:
|
Text |
The text of the e-mail message is:
Fröhliche Weihnachten!
|
in other cases (detailes...)
Sender |
The sender address of the infected e-mail is the same as the e-mail address belonging to the infected computer´s e-mail client.
|
Addressee |
The worm
sends the e-mail messages to the collected addresses.
The worm
does not send infected email messages to the addresses containing one of the following strings:
- yaho
- google
- win
- use
- info
- help
- admi
- ebm
- micro
- msn
- hotm
- suppor
- syman
- viru
- trend
- secur
- panda
- cafee
- sopho
- kasper
-
less...
|
Subject |
The subject of the infected e-mail messages is:
Merry Christmas!
|
Attachment |
The attachment of the infected e-mail message sent by the worm
is
#####.POSTCARD.#####
.
The file extension of the attachment of the e-mail message sent by the worm
can be one of the following:
|
Text |
The text of the e-mail message is:
Happy Hollydays!
|
The icon of the messages including worm
(warning: in some e-mail clients the icon is not correctly visible):
Backdoor
Win32/Zafi.D worm
opens a backdoor on TCP port number
8181
.