<b>W32Zafi-D Christmas Virus Makes the Rounds</b>
W32Zafi-D Christmas Virus Makes the Rounds
Name W32/Zafi-D Medium threat
**Panda has one of the best grahical descriptions ~ Mike
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=56161&sind=0
Type Worm
How it spreads Email attachments
Peer-to-peer
Affected operating systems Windows
Side effects Sends itself to email addresses found on the infected computer
Installs itself in the Registry
Aliases Email-Worm.Win32.Zafi.d
W32/Zafi.d@MM
Protection Download virus identity (IDE) file
Protection available since 14 December 2004 11:56:00 (GMT)
Included in our products from February 2005 (3.90)
More information on IDE files What are IDE files?
How to use IDE files
Get the latest IDE files
Staying up to date
EM Library, part of the Enterprise Manager suite of management tools, allows
fully automated web-based installation and updating of Sophos Anti-Virus on
a wide range of platforms. If you're using one of our enterprise solutions
and aren't already using EM Library, check it out now. Users of our small
business solutions are automatically updated by Sophos AutoUpdate.
Description
This section helps you to understand how it behaves
W32/Zafi-D is a mass mailing worm and peer-to-peer worm.
W32/Zafi-D copies itself to the Windows system folder with the filename
Norton Update.exe.
W32/Zafi-D creates a number of files in the Windows system folder with
filenames consisting of 8 random characters and a DLL extension. Some of
these are exact or zipped copies of the worm, detected as W32/Zafi-D, while
others are log files created by the worm.
W32/Zafi-D harvests email addresses from the Windows Address Book and from
files found on the hard drive.
W32/Zafi-D copies itself to folders with names containing share, upload, or
music as ICQ 2005a new!.exe or winamp 5.7 new!.exe.
W32/Zafi-D displays an fake error message box with the caption "CRC: 04F6Bh"
and the text "Error in packed file!".
Recovery
This section tells you how to disinfect.
Please follow the instructions for removing worms.
Advanced
This section is for technical experts who want to know more.
W32/Zafi-D is a mass mailing and peer-to-peer worm.
W32/Zafi-D copies itself to the Windows system folder with the filename
Norton Update.exe and creates the following entry in the registry so as to
run itself when a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Wxp4
W32/Zafi-D creates a number of files in the Windows system folder with
filenames consisting of 8 random characters and a DLL extension. Some of
these are exact or zipped copies of the worm, detected as W32/Zafi-D, while
others are log files created by the worm.
W32/Zafi-D attempts to terminate processes related to files found in folders
that have names containing the following strings:
syman, viru, trend, secur, panda, cafee, sopho, kasper
W32/Zafi-D attempts to open files containing the following strings and keep
them open so as to make them inaccessible to the user:
reged, msconfig, task
W32/Zafi-D copies itself to folders containing one of the following strings:
share, upload, music
W32/Zafi-D copies itself to these folders with one of the following
filenames:
ICQ 2005a new!.exe
winamp 5.7 new!.exe
W32/Zafi-D harvests email addresses from the Windows Address Book and from
files it finds with the extensions HTM, WAB, TXT, DBX, TBB, ASP, PHP, SHT,
ADB, MBX, EML, PMR, FPT or INB.
W32/Zafi-D may copy the file from which it is harvesting addresses to
C:\S.CM.
W32/Zafi-D does not harvest addresses that contain the following words:
yaho, google, win, use, info, help, admi, webm, micro, msn, hotm, suppor,
syman, viru, trend, secur, panda, cafee, sopho, kasper
W32/Zafi-D does not harvest addresses that contain 16 or more digits.
W32/Zafi-D may generate random addresses using harvested domain names.
W32/Zafi-D produces emails with the following characteristics depending on
the nationality of the recipient, which it gathers from the region-specific
top-level domain (e.g. .uk, .de, .fr, .nl etc.)
From line: This is either a name gathered from the host email setup or one
of the following:
Pamela M.
T. Antonio
J. Martin
V. Dusan
R. Cornel
H. Irene
S. Ewa
C. Lina
M. Virtanen
M. Emma
J. Andersson
V. Jensen
V. Tatyana
N. Fernandez
T. Maria
Subject line: This can start either "Re:", "Fw:" or with nothing, continuing
with one of the following:
Merry Christmas!
Buon Natale!
Joyeux Noel!
Christmas pohlednice
Prettige Kerstdagen!
Weihnachen card.
Christmas - Kertki!
Christmas - Atviruka!
Christmas postikorti!
Christmas Postkort!
Christmas Vykort!
Christmas Kort!
ecard.ru
Feliz Navidad!
boldog karacsony...
Message body: This is in plain text and html format. Both consist either of
two words or spaces, followed by a smiley and the sender name from the
subject line. In the html the words or spaces are separated by "...."
strings and an lewd animated GIF file of two smileys and the line starts and
ends in asterisks. The html text ends in a string containing a domain name
followed by the text "Picture Size: 11 KB, Mail +OK".
The words used in the text are from the following, or using non-Roman
characters:
Happy Hollydays!
Buon Natale!
Joyeux Noel!
Prettige Kerstdagen!
Frohliche Wiehnachten!
Wesolych Swiat!
Naujieji Metai!
Iloista Joulua!
God Jul!
Glaedelig Jul!
Feliz Navidad
Kellemes Unnepeket!
Attached filename: This starts "link." or nothing, followed by one name from
the following list:
postcard.
cartoline.
ecarte.
phlednice.
kerstdagen.
weihnachten.
kartki.
atviruka.
postikorti.
postkort.
vykort.
ekort.
card.
navidad.
karacsony.
This is then followed by "christmas." or nothing, then by "index." or
nothing.
The attachment then has one of the following fake extensions followed by 4
random digits:
.php
.htm
.jpg
.gif
The attachment has one of the following actual extensions:
.cmd
.bat
.pif
.com
.zip
If the attachment is a ZIP file then the worm inside it has a filename of
one of the following:
postcard.
wishcard.
xmascard.
giftcard.
This is followed by either "id" or "php", four random digits and one of the
following extensions:
.cmd
.bat
.pif
.com
For example, the attached file may be a zip file named
atviruka.christmas.index.jpg6245.zip containing a copy of the virus named
wishcard.id8302.cmd
W32/Zafi-D creates entries in the registry, some related to file it drops
and some related to system information. The entries are all at
HKLM\Software\Microsoft\Wxp4\ with some of the following values:
t1, t2, t3, t4, t5, t6, t7, t8, t9, tA, tB, tC, tD, tE, tZ, rB, rC,
mA, mB, mC, ... , mX, mY, mZ
lA, lB, lC, ... , lX, lY, lZ
W32/Zafi-D displays an fake error message box with the caption "CRC: 04F6Bh"
and the text "Error in packed file!".
From; PC-magazin Germany
http://www.pc-magazin.de/praxis/sicherheit/cm/virenecke/show_sophos.php?id=78
0
Aliases;
Email-Worm.Win32.Zafi.d (AVP), Nocard.A@mm (Norman), W32.Erkez.D@mm
(Symantec), W32/Zafi-D (Sophos), WORM_ZAFI.D (Trend)
Mcaffe
http://us.mcafee.com/root/campaign.asp?cid=12942
Panda
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=56161&sind=0
Secunia
http://secunia.com/virus_information/13874/
Sophos
http://www.sophos.com/virusinfo/analyses/w32zafid.html
Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.erkez.d@mm.html
Trend;
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D