Content

W32/Zafi.c@MM

Type
Virus
SubType
E-mail worm
Discovery Date
10/27/2004
Length
15,993 bytes (FSG packed)
Minimum DAT
4401 (10/27/2004)
Updated DAT
4602 (10/11/2005)
Minimum Engine
5.1.00
Description Added
10/27/2004
Description Modified
10/28/2004 9:12 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update October 27, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://news.zdnet.co.uk/internet/0,39020369,39171748,00.htm

--

This variant bears similarities to its predecessors, for example W32/Zafi.b@MM .

  • contains its own SMTP engine to construct outgoing messages
  • spoofs the From: address
  • harvests target email addresses from the victim machine
  • outgoing message may contain message bodies in Hungarian or English
  • the virus carries derogatory comments concerning other high profile viruses in 2004
  • the virus is intended to perform a denial of service (DoS) attack against the following web sites:
    • google.com
    • microsoft.com
    • www.miniszterelnok.hu

At the time of writing AVERT has received just a single sample of this virus from the field.

Symptoms

  • Outgoing messages matching the description below
  • Registry keys and file system changes matching the details below

Installation

The worm drops a copies of itself within the Windows system (%SysDir%) directory:

  • c:\WINNT\system32\svchost.com
  • c:\WINNT\system32\svchost.con

System startup is hooked via addition of the following Registry key:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Run "_svchost.con" = %SysDir%\svchost.com

The worm creates the following Registry key, within which various data is stored (for example, filepaths of the local files created that contain harvested email addresses):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UpdateZ3

Method of Infection

Mail Propagation

The worm contains its own SMTP engine for constructing outgoing messages. Target email addresses are harvested from the victim machine, from files with the following extensions:

  • htm
  • wab
  • txt
  • dbx
  • tbb
  • asp
  • php
  • sht
  • adb
  • mbx
  • eml
  • pmr

Harvested email addresses are stored in "SVCHOST.COn" files within %SysDir% (where n is digit). These files are referenced within the data key described above.

The worm does not send emails to addresses containing any of the following strings:

  • info
  • help
  • aol
  • webm
  • micro
  • msn
  • hotmail.co
  • suppor
  • syma
  • vir
  • trend
  • panda
  • hoo.com
  • cafee
  • sopho
  • google
  • kasper

Outgoing messages are constructed with multiple subject lines, message bodies and attachment filenames.

P2P Propagation

The worm makes multiple copies of itself using the filename "DOOM33 KEYGEN.EXE" in local directories containing the following strings:

  • share
  • upload
  • downlo

For example:

  • c:\Program Files\Common Files\Microsoft Shared\doom3 keygen.exe
  • c:\WINNT\Downloaded Program Files\doom3 keygen.exe

Process termination payload

In an attempt to thwart manual identification and cleaning of an infected machine, the worm will attempt to terminate processes containing any of the following strings:

  • reged
  • msconfig
  • task

Denial of Service payload

This variant also delivers a DoS attack (HTTP) on three remote sites:

  • google.com
  • microsoft.com
  • www.miniszterelnok.hu

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

-- Update October 27, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://news.zdnet.co.uk/internet/0,39020369,39171748,00.htm

--

This variant bears similarities to its predecessors, for example W32/Zafi.b@MM .

  • contains its own SMTP engine to construct outgoing messages
  • spoofs the From: address
  • harvests target email addresses from the victim machine
  • outgoing message may contain message bodies in Hungarian or English
  • the virus carries derogatory comments concerning other high profile viruses in 2004
  • the virus is intended to perform a denial of service (DoS) attack against the following web sites:
    • google.com
    • microsoft.com
    • www.miniszterelnok.hu

At the time of writing AVERT has received just a single sample of this virus from the field.

Symptoms

Symptoms -

  • Outgoing messages matching the description below
  • Registry keys and file system changes matching the details below

Installation

The worm drops a copies of itself within the Windows system (%SysDir%) directory:

  • c:\WINNT\system32\svchost.com
  • c:\WINNT\system32\svchost.con

System startup is hooked via addition of the following Registry key:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Run "_svchost.con" = %SysDir%\svchost.com

The worm creates the following Registry key, within which various data is stored (for example, filepaths of the local files created that contain harvested email addresses):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UpdateZ3

Method of Infection

Method of Infection -

Mail Propagation

The worm contains its own SMTP engine for constructing outgoing messages. Target email addresses are harvested from the victim machine, from files with the following extensions:

  • htm
  • wab
  • txt
  • dbx
  • tbb
  • asp
  • php
  • sht
  • adb
  • mbx
  • eml
  • pmr

Harvested email addresses are stored in "SVCHOST.COn" files within %SysDir% (where n is digit). These files are referenced within the data key described above.

The worm does not send emails to addresses containing any of the following strings:

  • info
  • help
  • aol
  • webm
  • micro
  • msn
  • hotmail.co
  • suppor
  • syma
  • vir
  • trend
  • panda
  • hoo.com
  • cafee
  • sopho
  • google
  • kasper

Outgoing messages are constructed with multiple subject lines, message bodies and attachment filenames.

P2P Propagation

The worm makes multiple copies of itself using the filename "DOOM33 KEYGEN.EXE" in local directories containing the following strings:

  • share
  • upload
  • downlo

For example:

  • c:\Program Files\Common Files\Microsoft Shared\doom3 keygen.exe
  • c:\WINNT\Downloaded Program Files\doom3 keygen.exe

Process termination payload

In an attempt to thwart manual identification and cleaning of an infected machine, the worm will attempt to terminate processes containing any of the following strings:

  • reged
  • msconfig
  • task

Denial of Service payload

This variant also delivers a DoS attack (HTTP) on three remote sites:

  • google.com
  • microsoft.com
  • www.miniszterelnok.hu

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A