Aliases

Email-Worm.Win32.Zafi.d (Kaspersky Lab) is also known as: W32.Erkez.D@mm (Symantec),   Win32.HLLM.Hazafi.36864 (Doctor Web),   W32/Zafi-D (Sophos),   Win32/Zafi.D@mm (RAV),   WORM_ZAFI.GEN (Trend Micro),   Worm/Zafi.D (H+BEDV),   W32/Zafi.D@mm (FRISK),   I-Worm/Zafi.D (Grisoft),   Win32.Zafi.D@mm (SOFTWIN),   Worm.Zafi.D (ClamAV),   W32/Zafi.D.worm (Panda),   Win32/Zafi.D (Eset)

Detection added	Dec 15 2004
Description added	Dec 15 2004
Behavior	Email Worm

Technical details

The worm spreads via the Internet as an attachment to infected messages, and also via file-sharing networks.

It sends itself to email addresses harvested from the infected computer.

The worm itself is a Windows PE EXE file, approximately 12KB in size, packed using FSG. The unpacked file is approximately 37KB in size.

The worm contains a backdoor.

Installation

Once launched, the worm displays the following dialogue box:

When installing, the worm copies itself to the Windows system directory as 'NortonUpdate.exe' and registers this file in the system registry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Wxp4" = C:\WINDOWS\SYSTEM32\Norton Update.exe 

This ensures a copy of the worm will be launched each time the infected machine is rebooted.

The worm also creates files in the Windows system directory which have random names, and a .dll extension.

For example:

%System%\csnhzdsb.dll
%System%\gzapvzry.dll
%System%\hrdkwxwu.dll
%System%\icvwceot.dll

Email addresses harvested from the victim machine are saved to these files.

Zafi.d also creates the following entry in the system registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wxp4]

Wxp4 is the worm's identifier, which flags its presence in the system.

Propagation via email

The worm harvests email addresses from the MS Windows address book, and also from files with the following extensions:

adb 
asp 
dbx 
eml 
fpt 
htm 
inb 
mbx 
php 
pmr 
sht 
tbb 
txt 
wab

All harvested addresses will be saved in the .dll files which the worm has created in the Windows system directory.

The worm does not send messages to addresses which contain the following text strings:

admi 
cafee 
google 
help 
hotm 
info 
kasper 
micro 
msn 
panda 
secur 
sopho 
suppor 
syman 
trend 
use 
viru 
webm 
win 
yaho

Zafi.d establishes a direct connection to the recipient's SMTP server in order to send messages.

Infected messages

Infected messages are sent in a variety of languages. The language of the infected messages is determined by the recipient's domain name.

Message subject (chosen from the list below)t:

Message body (chosen from the list below):

Happy HollyDays!
:) [Sender]
 

Kellemes Unnepeket!
:) [Sender]

Feliz Navidad!
:) [Sender]
 

Glaedelig Jul!
:) [Sender]
 
God Jul!
:) [Sender]
 
Iloista Joulua!
:) [Sender]
 
Naulieji Metai!
:) [Sender]
 
Wesolych Swiat!
:) [Sender]
 
Fröhliche Weihnachten!
:) [Sender]
 
Prettige Kerstdagen!
:) [Sender]
 
Veselé Vánoce!
:) [Sender]
 
Joyeux Noel!
:) [Sender]
 
Buon Natale!
:) [Sender]

Attachment name

The attachment name is randomly generated. It contains the word 'postcard' in a language which corresponds to the recipient's domain name and a long string of random characters. The attachment name will have one of the following extensions:

.bat 
.cmd 
.com 
.pif 
.zip

Propagation via local and file-sharing networks:

Zafi.d copies itself to all files where the file name contains one of the following text strings:

music
share 
upload

The worm copies itself to these folders under a name chosen from the list below:

winamp 5.7 new!.exe 
ICQ 2005a new!.exe

For example:

c:\Program Files\Common Files\Microsoft Shared\ ICQ 2005a new!.exe

Remote administration

The worm opens TCP port 8181 on the victim machine in order to receive commands. The backdoor offers a malicious remote attacker full access to the infected computer. In addition to this, files can be downloaded from the Internet and launched on the victim machine.

Payload

Zafi.d attempts to detect and terminate firewall and antivirus applications on infected machines, by overwriting the application files with a copy of itself.