Description
Win32.Zafi.B is a worm that spreads via e-mail using several different languages, including English, Hungarian and Russian. It is a 12,800-byte, FSG-packed Win32 executable.
Back to top
Method of Infection
When executed, the worm makes two copies of itself in the %System% directory with randomly generated file names. One has the extension .exe and the other .dll. For example:
C:\WINDOWS\System32\PIVUJDSU.EXE
C:\WINDOWS\System32\FRUPKUPX.DLL
It creates this registry value to execute the worm each time Windows starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\_Hazafibb = "%System%\<worm_executable>"
Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
The worm creates a mutex "_Hazafibb" to avoid running multiple instances of itself on the affected system.
Back to top
Method of Distribution
Via E-mail
Zafi.B sends itself to e-mail addresses collected from the affected machine. It harvests e-mail addresses from files with extension htm, wab, txt, dbx, tbb, asp, php, sht, adb, mbx, eml or pmr on local fixed drives C, D, E, F, G and H.
When searching these files, it ignores addresses containing any of these strings:
win
use
info
help
admi
webm
micro
msn
hotm
suppor
syma
vir
trend
panda
yaho
cafee
sopho
google
kasper
It also searches the Windows Address Book (WAB) file, which it finds by checking this registry value:
HKCU\Software\Microsoft\WAB\WAB4\Wab File Name\(Default)
It creates five files in the %System% directory to store these addresses in. These files have randomly-generated names and the extension ".DLL".
E.g. "C:\WINDOWS\System32\gcwaaaaq.dll"
The worm uses its own SMTP engine to send e-mails. It carries several templates in different languages to format e-mails. The attachment has extension ".PIF", ".EXE" or ".COM".
Please see below for examples of e-mail generated by the worm:
Via Network Share
The worm copies itself to directories with "share" or "upload" in the directory name, assuming these directories are network shares, using these filenames:
winamp 7.0 full_install.exe
Total Commander 7.0 full_install.exe
Back to top
Payload
Denies Application Execution
Zafi.B prevents the user from using applications that contain the strings "regedit" "msconfig" and "task" in the filename.
Denial Of Service Attack
The worm constantly sends empty get requests to the following web sites:
'www.parlament.hu'
'www.virusbuster.hu'
'www.virushirado.hu'
'www.2f.hu'
Back to top
For additional information:
The worm creates this registry key to keep track of its state:
HKLM\Software\Microsoft\_Hazafibb
The worm stores the folloiwng information under this key:
- the name of the infected system's registered owner
- default mail account
- local host IP address
- full paths to the worm's executable file and data files (with random names)
- full path to applications it intended to block access.
When run, the worm may also open the default browser and load a page chosen at random from those previously typed into Internet Explorer.
Analysis by Sha-Li Hsieh
Back to top