Content

W32/Zafi@MM

Type
Virus
SubType
Internet Worm
Discovery Date
04/19/2004
Length
11776 bytes
Minimum DAT
4352 (04/21/2004)
Updated DAT
4352 (04/21/2004)
Minimum Engine
5.1.00
Description Added
04/19/2004
Description Modified
04/20/2004 8:31 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This threat is proactive detected, by 4250 DATs and 4.3.20 engine with 'program heuristics' enabled, as 'New Malware.b'.

Note: This worm does send itself only to addresses that end with the top level domain .HU.

When executed, the worm copies itself twice to the %windir%\system32 folder using a random name and .EXE and .DLL extension.

Example:
  C:\WINNT\system32\bawtsuoc.exe
  C:\WINNT\system32\ylhefsko.dll

It creates a registry key, so the file gets executed every time the machine starts:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
  Windows\CurrentVersion\Run
  "xqmguqdx" = C:\WINDOWS\System32\bawtsuoc.exe I3

Than it starts searching the for email addresses on the local harddisk and stores the harvested addresses in five files in the system32 folder using random names and the fileextension .DLL

Example:
  C:\WINNT\system32\dnszokke.dll
  C:\WINNT\system32\eajgrjic.dll
  C:\WINNT\system32\jgehkgju.dll
  C:\WINNT\system32\vipmcylx.dll
  C:\WINNT\system32\wthrwhbu.dll

References to these files are stored within the following key, which is also created by the worm:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hazafi


When it finds an address that ends with .HU, it sends itself to that address, than it combines the domain name and top level domain (e.g.: @domain.hu) and generates new email addresses with random names.

The emails do always have the same attachment and subject:

From : [spoofed sender]
To : [harvested address]
Subject : Kepeslap erkezett 
Body :

Tisztelt felhasználó!

Önnek képeslapja érkezett!
A képeslap feladója: [spoofed address]
A lapot az alábbi cimen tudja megtekinteni:
http//matav.hu/viewcard/index=p4uo5683535GSb0123fhhf578840f0623cv2
vagy a mellékelt internetlink kattintásával.

Üdvözlettel: Matav e-card!
http//www.netezz.matav.hu/

Example:

Translated:

Dear Customer!

You received a new e-card!
Sender: [spoofed address]
You can view your e-card at the following address:
http//matav.hu/viewcard/index=p4uo5683535GSb0123fhhf578840f0623cv2
or by clicking the attached Internet-link.
Best regards: Matav e-card
http//www.netezz.matav.hu/

Attachment :
link.matav.hu.viewcard.index42ADR4502HHJeTYWYJDF334GSDEv25546.com

The worm monitors the processlist and terminates programs with these filenames:

  • dfw.exe
  • fsav32.exe
  • fsbwsys.exe
  • fsgk32.exe
  • fsm32.exe
  • fssm32.exe
  • fvprotect.exe
  • mcagent.exe
  • navapw32.exe
  • navdx.exe
  • navstub.exe
  • navw32.exe
  • nc2000.exe
  • ndd32.exe
  • netarmor.exe
  • netinfo.exe
  • netmon.exe
  • nmain.exe
  • nprotect.exe
  • ntvdm.exe
  • ostronet.exe
  • outpost.exe
  • pccguide.exe
  • pcciomon.exe
  • regedit.exe
  • regedit32.exe
  • taskmgr.exe
  • tnbutil.exe
  • vbcons.exe
  • vbsntw.exe
  • vbust.exe
  • vsmain.exe
  • vsmon.exe
  • vsstat.exe
  • winlogon.exe
  • zonalarm.exe


Symptoms

  • Existance of files and registry keys as mentioned above.
  • Process termination
  • Network traffic 
  • On the 1st of May 2004, the worm displays a political message.

Method of Infection

This worm does not use any exploit code in order to execute the mail attachment automatically. A user has to doubleclick on an infected attachment to infected the machine.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • w32.erkez.a@mm (Symantec)

Characteristics

Characteristics -

This threat is proactive detected, by 4250 DATs and 4.3.20 engine with 'program heuristics' enabled, as 'New Malware.b'.

Note: This worm does send itself only to addresses that end with the top level domain .HU.

When executed, the worm copies itself twice to the %windir%\system32 folder using a random name and .EXE and .DLL extension.

Example:
  C:\WINNT\system32\bawtsuoc.exe
  C:\WINNT\system32\ylhefsko.dll

It creates a registry key, so the file gets executed every time the machine starts:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
  Windows\CurrentVersion\Run
  "xqmguqdx" = C:\WINDOWS\System32\bawtsuoc.exe I3

Than it starts searching the for email addresses on the local harddisk and stores the harvested addresses in five files in the system32 folder using random names and the fileextension .DLL

Example:
  C:\WINNT\system32\dnszokke.dll
  C:\WINNT\system32\eajgrjic.dll
  C:\WINNT\system32\jgehkgju.dll
  C:\WINNT\system32\vipmcylx.dll
  C:\WINNT\system32\wthrwhbu.dll

References to these files are stored within the following key, which is also created by the worm:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hazafi


When it finds an address that ends with .HU, it sends itself to that address, than it combines the domain name and top level domain (e.g.: @domain.hu) and generates new email addresses with random names.

The emails do always have the same attachment and subject:

From : [spoofed sender]
To : [harvested address]
Subject : Kepeslap erkezett 
Body :

Tisztelt felhasználó!

Önnek képeslapja érkezett!
A képeslap feladója: [spoofed address]
A lapot az alábbi cimen tudja megtekinteni:
http//matav.hu/viewcard/index=p4uo5683535GSb0123fhhf578840f0623cv2
vagy a mellékelt internetlink kattintásával.

Üdvözlettel: Matav e-card!
http//www.netezz.matav.hu/

Example:

Translated:

Dear Customer!

You received a new e-card!
Sender: [spoofed address]
You can view your e-card at the following address:
http//matav.hu/viewcard/index=p4uo5683535GSb0123fhhf578840f0623cv2
or by clicking the attached Internet-link.
Best regards: Matav e-card
http//www.netezz.matav.hu/

Attachment :
link.matav.hu.viewcard.index42ADR4502HHJeTYWYJDF334GSDEv25546.com

The worm monitors the processlist and terminates programs with these filenames:

  • dfw.exe
  • fsav32.exe
  • fsbwsys.exe
  • fsgk32.exe
  • fsm32.exe
  • fssm32.exe
  • fvprotect.exe
  • mcagent.exe
  • navapw32.exe
  • navdx.exe
  • navstub.exe
  • navw32.exe
  • nc2000.exe
  • ndd32.exe
  • netarmor.exe
  • netinfo.exe
  • netmon.exe
  • nmain.exe
  • nprotect.exe
  • ntvdm.exe
  • ostronet.exe
  • outpost.exe
  • pccguide.exe
  • pcciomon.exe
  • regedit.exe
  • regedit32.exe
  • taskmgr.exe
  • tnbutil.exe
  • vbcons.exe
  • vbsntw.exe
  • vbust.exe
  • vsmain.exe
  • vsmon.exe
  • vsstat.exe
  • winlogon.exe
  • zonalarm.exe


Symptoms

Symptoms -

  • Existance of files and registry keys as mentioned above.
  • Process termination
  • Network traffic 
  • On the 1st of May 2004, the worm displays a political message.

Method of Infection

Method of Infection -

This worm does not use any exploit code in order to execute the mail attachment automatically. A user has to doubleclick on an infected attachment to infected the machine.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A