Win32.Zafi.A@mm

( W32.Erkez.A@mm, W32/Zafi-A, WORM_ZAFI.A )

SYMPTOMS:

- Presence of the next files in %SYSTEM% folder:

7 files with random names, the name is composed of 8 random letters, six files with extension .dll and one with extension .exe
5 of the .dll files store e-mail addresses and are rather small in size (around 1 kbytes)
the 6th .dll file and the .exe file are copies of the virus, and have 11,776 bytes each


- Presence of the next registry keys or entries:

[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\"%random1%\"=\"%random2%.exe %random3%\"]

where %random1% and %random2% are names formed from 8 random characters and %random3% is a random letter

[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Hazafi]

with entries R1 to R9 and RA, containing information about the infected computer and the exact names of the 7 files (6 dll and 1 exe)

- Presence in memory of a process called Link


For example:

[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\"xqqnazkf\"=\"%SYSTEM%\\smnoynve.exe P\"]


where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to \"System\" folder on Windows 9x systems and \"System32\" folder on WinNT systems.

TECHNICAL DESCRIPTION:

The virus arrives in an e-mail with the next format:

From: a spoofed e-mail address or the default kepeslapok@meglep.hu
Subject: kepeslap erkezett!
Body:

Tisztelt felhasználó!

Önnek kópeslapja órkezett!
A kópeslap feladója: A lapot az alábbi cimen tudja megtekinteni:
http//matav.hu/viewcard/index=psp4uo5683535GSb0123fhhf578840f0623cv2
vagy a mellókelt internetlink kattintásával.

Üdvözlettel: Matav e-card!
http//www.netezz.matav.hu/

Attachment: link.matav.hu.viewcard.index42ADR4502HHJeTYWYJDF334GSDEv25546.com


Once run, the virus will do the following:

1. Checks if the date is 1 May 2004 and if it is, it displays the following message:



2. Creates the aforementioned 7 random named files in %SYSTEM% folder

3. Creates the aforementioned registry keys

4. Checks if the computer is connected to the internet by attempting to contact google.com

5. Attempts to terminate the following processes:

zonalarm.exe
vbsntw.exe
vbcons.exe
pccguide.exe
outpost.exe
regedit.exe
regedit32.exe
navapw32.exe
pcciomon.exe
navdx.exe
navstub.exe
navw32.exe
nc2000.exe
ndd32.exe
netmon.exe
netarmor.exe
netinfo.exe
nmain.exe
nprotect.exe
ntvdm.exe
ostronet.exe
vsmain.exe
vsmon.exe
vsstat.exe
vbust.exe
mcagent.exe
fsav32.exe
fssm32.exe
fsm32.exe
fsbwsys.exe
fsgk32.exe
dfw.exe
tnbutil.exe
taskmgr.exe
winlogon.exe
fvprotect.exe

6. Searches for e-mails in files with the next extensions:

htm, wab, txt, dbx, tbb, asp, php, sht, adb, mbx, eml, pmr

and avoids searching in files with extensions:

lnk, swp, ico, dll, vxd, mp3, wav, avi, mpg, zip, rar, exe, wmv, cab, pk3, jpg, gif, bmp

and stores found e-mail addresses in 5 randomly named dll files in %SYSTEM% folder.

7. Opens Internet Explorer with a recent typed url

8. Uses it\'s own smtp engine to send itself to the harvested e-mail addresses, but avoiding sending to addresses containing:

microsoft
vir
trendmicro
avp
f-prot
hotmail
gov
anti
panda
norton

Removal instructions:

- automatic removal: let BitDefender delete/disinfect files found infected.
- manual removal: terminate the Link process and delete the aforementioned files and registy entries

ANALYZED BY:

Patrik Vicol
BitDefender Virus Researcher