Aliases

Email-Worm.Win32.Zafi.b (Kaspersky Lab) is also known as: I-Worm.Zafi.b (Kaspersky Lab), W32/Zafi.b@MM (McAfee),   W32.Erkez.B@mm (Symantec),   Win32.Hazafi.30720 (Doctor Web),   W32/Zafi-B (Sophos),   Win32/Zafi.B@mm (RAV),   PE_ZAFI.B (Trend Micro),   Worm/Zafi.B (H+BEDV),   W32/Zafi.B@mm (FRISK),   Win32:Zafi-B (ALWIL),   I-Worm/Zafi.B (Grisoft),   Win32.Zafi.B@mm (SOFTWIN),   Worm.Zafi.B (ClamAV),   W32/Zafi.B.worm (Panda),   Win32/Zafi.B (Eset)

Description added	Jun 11 2004
Behavior	Email Worm

Technical details

This worm spreads via the Internet as an attachment to infected messages, and also via local and file-sharing networks.

It is written in Assembler, and packed using FSG. It is 12800 bytes in packed form, and 33292 in unpacked form.

Installation

Once launched, the worm copies its file to the Windows system directory. The name of the file is randomly generated.

The worm registers this file as an entry in the system registry to be run every time the system is started:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "_Hazafibb"="%system%\[file name]"

The worm creates the mutex _Hazafibb to flag its presence in the system.

It stops the following processes and deletes the files from disk:

fvprotect.exe
winlogon.exe
jammer2nd.exe
services.exe

Propagation via email

The worm harvests email addresses from files with the following extensions:

htm
wab
txt
dbx
tbb
asp
php
sht
adb
mbx
eml
pmr

It does not send messages to addresses which contain text from the list below:

win
use
info
help
admi
webm
micro
msn
hotm
suppor
syma
vir
trend
panda
yaho
cafee
sopho
google
kasper

There is a range of text used in infected messages. The text is chosen according to the recipient's domain name.

Domain .hu

Sender:

Anita

Message header:

Ingyen SMS!

Message body:

------------------------ hirdetÝs -----------------------------
A sikeres 777sms.hu Ýs az axelero.hu tÓmogatÓsÓval jra
indul az ingyenes sms k?ld? szolgÓltatÓs! Jelenleg ugyan
korlÓtozott szÓmban, napi 20 ingyen smst lehet felhasznÓlni.
K?ldj te is SMST! NehÓny kattintÓs Ýs a mellÝkelt regisztrÓci?s
lap kit?ltÝse utÓn azonnal igÝnybevehet?! B?vebb informÓci?t
a www.777sms.hu oldalon talÓlsz, de siess, mert az els? ezer 
felhasznÓl? k?z?tt ÝrtÝkes nyeremÝnyeket sorsolunk ki!

------------------------ axelero.hu ---------------------------

Attachment name:

regiszt.php?3124freesms.index777.pif

Domain .sp

Sender:

Claudia

Message header:

Importante!

Message body:

Informacion importante que debes conocer, -

Attachment name:

link.informacion.phpV23.text.message.pif

Domain .ru

Sender:

Katya

Message header:

Katya

Message body:

DAúADAOIUå OEIEøIEãU, ÐÉÓÁ_ÝÉÅ ÄÅ×ÕoËÉ, ÁÎÁÌØÎÁÑ ÍÁÓÔÕdÂÁÃÉÑ,
dÕËÁ × ÁÎÕÓÅ É ×ÓÅ ÉÚ×ÅÓÔÎÙÅ ÐÏÌÏ×ÙÅ ÉÚ×dÁÝÅÎÉÑ.   
IÉÓÁ_ÝÉÅ ÄÅ×ÕoËÉ dÁÚ×dÁÔÎÙÅ oËÏÌØÎÉÃÙ...

Attachment name:

view.link.index.image.phpV23.sexHdg21.pif

Domain .dk

Sender:

Eva

Message header:

E-Kort!

Message body:

Mit hjerte banker for dig!

Attachment name:

link.ekort.index.phpV7ab4.kort.pif

Domain .ro

Sender:

Marica

Message header:

Ecard!

Message body:

De cand te-am cunoscut inima mea are un nou ritm!

Attachment name:

link.showcard.index.phpAv23.ritm.pif

Domain .se

Sender:

Anna

Message header:

E-vykort!

Message body:

Till min Alskade...

Attachment name:

link.vykort.showcard.index.phpBn23.pif

Domain .no

Sender:

Erica

Message header:

E-Postkort!

Message body:

Vakre roser jeg sammenligner med deg...

Attachment name:

link.postkort.showcard.index.phpAe67.pif

Domain .fi

Sender:

Katarina

Message header:

E-postikorti!

Message body:

Iloista kesaa!

Attachment name:

link.postikorti.showcard.index.phpGz42.pif

Domain .lt

Sender:

Magdolina

Message header:

Atviruka!

Message body:

Linksmo gimtadieno!

Attachment name:

link.atviruka.showcard.index.phpGz42.pif

Domain .pl

Sender:

Beate

Message header:

E-Kartki!

Message body:

W Dniu imienin...

Attachment name:

link.kartki.showcard.index.phpVg42.pif

Domain .pt

Sender:

Eva

Message header:

Cartoe Virtuais!

Message body:

Te amo...

Attachment name:

link.cartoe.viewcard.index.phpYj39.pif

Domain .de

Sender:

Alice

Message header:

Flashcard fuer Dich!

Message body:

Hallo!

hat dir eine elektronische Flashcard geschickt.
Um die Flashcard ansehen zu koennen, benutze in deinem Browser
einfach den nun folgenden link:
http://flashcard.de/interaktiv/viewcards/view.php3?card=267BSwr34

Viel Spass beim Lesen wuenscht Ihnen ihr...

Attachment name:

link.flashcard.de.viewcard34.php.2672aB.pif

Domain .nl

Sender:

Eva

Message header:

Er staat een eCard voor u klaar!

Message body:

Hallo!

heeft u een eCard gestuurd via de website nederlandse
taal in het basisonderwijs...
U kunt de kaart ophalen door de volgende url aan te klikken of te
kopiren in uw browser link: 
http://postkaarten.nl/viewcard.show53.index=04abD1

Met vriendelijke groet,
De redactie taalsite primair onderwijs...

Attachment name:

postkaarten.nl.link.viewcard.index.phpG4a62.pif

Domain .cz

Sender:

Hanka

Message header:

Elektronicka pohlednice!

Message body:

Ahoj!

Elektronick pohlednice ze serveru http://www.seznam.cz

Attachment name:

link.seznam.cz.pohlednice.index.php2Avf3.pif

Domain .fr

Sender:

Claudine

Message header:

E-carte!

Message body:

vous a envoye une E-carte partir du site zdnet.fr
Vous la trouverez, l'adresse suivante link:
http://zdnet.fr/showcard.index.php34bs42
www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web
en 5 minutes, du dialogue en direct...

Attachment name:

link.zdnet.fr.ecarte.index.php34b31.pif

Domain .it

Sender:

Francesca

Message header:

Ti e stata inviata una Cartolina Virtuale!

Message body:

Ciao!

ha visitato il nostro sito, cartolina.it e ha creato una
cartolina virtuale per te! Per vederla devi fare click
sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a
Attenzione, la cartolina sara visibile sui nostri server per
2 giorni e poi verra rimossa automaticamente.

Attachment name:

link.cartoline.it.viewcard.index.4g345a.pif

Domain .mx

1.

Sender:

Jennifer

Message header:

You`ve got 1 VoiceMessage!

Message body:

Dear Customer!

You`ve got 1 VoiceMessage from voicemessage.com website!
Sender:  
You can listen your Virtual VoiceMessage at the following link:
http://virt.voicemessage.com/index.listen.php2=35affv
or by clicking the attached link.

Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).

Attachment name:

link.voicemessage.com.listen.index.php1Ab2c.pif

2.

Sender:

Anita

Message header:

Soxor Csok!

Message body:

Szia!

Aranyos vagy, j? volt dumcsizni veled a neten!
RemÝlem tetszem, Ýs szeretnÝm ha te is k?ldenÝl kÝpet
magadr?l, addig is cs?k:  

Attachment name:

anita.image043.jpg.pif

Domain .at

1.

Sender:

Anita

Message header:

Tessek mosolyogni!!!

Message body:

Ha ez a kÝp sem tud felviditani, akkor feladom!

Sok puszi:  

Attachment name:

meztelen csajok fociznak.flash.jpg.pif

2.

Sender:

Jennifer

Message header:

Don`t worry, be happy!

Message body:

Hi Honey!

I`m in hurry, but i still love ya...
(as you can see on the picture)

Bye - Bye:  

Attachment name:

www.ecard.com.funny.picture.index.nude.php356.pif

For all other domains, the message will be as follows:

Sender:

David

Message header:

Check this out kid!!!

Message body:

Send me back bro, when you`ll be done...(if you know what i mean...)
See ya,  

Attachment name:

jennifer the wild girl xxx07.jpg.pif

Propagation via local and file-sharing networks

The worm copies itself to all folders where the folder name contains the words:

share
upload

The name of the worm file will be chosen from the following list:

winamp 7.0 full_install.exe
Total Commander 7.0 full_install.exe

Other

It creates the file sys.txt in the root catalogue of the C: disk.

It attempts to detect antivirus program files on the computer and overwrite them with a copy of itself.

It also attempts to conduct DoS attacks on the following sites:

www.2f.hu
www.parlament.hu
www.virusbuster.hu
www.virushirado.hu