My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Zafi.B@mm

LOW
MEDIUM
12,800 (packed with FSG)
(I-Worm.Zafi.B, Win32/Zafi.B worm)

Symptoms

- Presence of the next files in %SYSTEM% folder:
files with random names, the name is composed of 8 random letters, files with extension .dll and one with extension .exe
most of the .dll files store e-mail addresses and are rather small in size (around 1 kbytes)
a .dll file and the .exe file are copies of the virus, and have 12,800 bytes each

Regedit, Task Manager, Task Monitor don't work

Presence in memory of a process called "link"

When run, the virus opens Internet Explorer with a recently typed url


- Presence of the next registry keys or entries:


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"_Hazafibb"="%SYSTEM%\%random%.exe"]


where %random% is a name formed from 8 random characters

[HKEY_LOCAL_MACHINE\Software\Microsoft\_Hazafibb]

with entries b? c? d?, containing information about the infected computer and the exact names of the exe and dll files; where ? may be any digit or capital letter (eg: b1, bA, cA, etc)


where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems.

Removal instructions:

- automatic removal: let BitDefender delete/disinfect files found infected.

Analyzed By

Patrik Vicol BitDefender Virus Researcher

Technical Description:

The virus arrives via e-mail, in the following formats (for: .hu .sp .ru .dk .ro .se .se .no .fi .lt .pl .pt .de .nl .cz .fr .it)
The From: field is spoofed


Subject: eIngyen SMS!
Body:
------------------------ hirdetés -----------------------------

A sikeres 777sms.hu és az axelero.hu támogatásával újra
indul az ingyenes sms küldõ szolgáltatás! Jelenleg ugyan
korlátozott számban, napi 20 ingyen smst lehet felhasználni.
Küldj te is SMST! Nehány kattintás és a mellékelt regisztrációs
lap kitöltése után azonnal igénybevehetõ! Bõvebb információt
a www.777sms.hu oldalon találsz, de siess, mert az elsõ ezer
felhasználó között értékes nyereményeket sorsolunk ki!

------------------------ axelero.hu ---------------------------

Attachment: regiszt.php?3124freesms.index777.pif



Subject: Importante!
Body: Informacion importante que debes conocer, -
Attachment: link.informacion.phpV23.text.message.pif



Subject: E-Kort!
Body: Mit hjerte banker for dig!
Attachment: link.ekort.index.phpV7ab4.kort.pif



Subject: Ecard!
Body: De cand te-am cunoscut inima mea are un nou ritm!
Attachment: link.showcard.index.phpAv23.ritm.pif



Subject: E-vykort!
Body: Till min Alskade...
Attachment: link.vykort.showcard.index.phpBn23.pif



Subject: E-Postkort!
Body: Vakre roser jeg sammenligner med deg...
Attachment: link.postkort.showcard.index.phpAe67.pif



Subject: E-postikorti!
Body: Iloista kesaa!
Attachment: link.postikorti.showcard.index.phpGz42.pif



Subject: Atviruka!
Body: Linksmo gimtadieno!
Attachment: link.atviruka.showcard.index.phpGz42.pif



Subject: E-Kartki!
Body: W Dniu imienin...
Attachment: link.kartki.showcard.index.phpVg42.pif



Subject: Cartoe Virtuais!
Body: Te amo...
Attachment: link.cartoe.viewcard.index.phpYj39.pif



Subject: Flashcard fuer Dich!
Body: Hallo!

hat dir eine elektronische Flashcard geschickt.
Um die Flashcard ansehen zu koennen, benutze in deinem Browser
einfach den nun folgenden link:
http://flashcard.de/interaktiv/viewcards/view.php3?card=267BSwr34

Viel Spass beim Lesen wuenscht Ihnen ihr...

Attachment: link.flashcard.de.viewcard34.php.2672aB.pif




Subject: Er staat een eCard voor u klaar!
Body: Hallo!

heeft u een eCard gestuurd via de website nederlandse
taal in het basisonderwijs...
U kunt de kaart ophalen door de volgende url aan te klikken of te
kopiren in uw browser link:
http://postkaarten.nl/viewcard.show53.index=04abD1

Met vriendelijke groet,
De redactie taalsite primair onderwijs...

Attachment: postkaarten.nl.link.viewcard.index.phpG4a62.pif



Subject: Elektronicka pohlednice!
Body: Ahoj!

Elektronick pohlednice ze serveru http://www.seznam.cz

Attachment: link.seznam.cz.pohlednice.index.php2Avf3.pif



Subject: E-carte!
Body: vous a envoye une E-carte partir du site zdnet.fr
Vous la trouverez, l\'adresse suivante link:
http://zdnet.fr/showcard.index.php34bs42
www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web
en 5 minutes, du dialogue en direct...

Attachment: link.zdnet.fr.ecarte.index.php34b31.pif



Subject: Ti e stata inviata una Cartolina Virtuale!
Body: Ciao!

ha visitato il nostro sito, cartolina.it e ha creato una
cartolina virtuale per te! Per vederla devi fare click
sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a
Attenzione, la cartolina sara visibile sui nostri server per
2 giorni e poi verra rimossa automaticamente.

Attachment: link.cartoline.it.viewcard.index.4g345a.pif



Subject: You`ve got 1 VoiceMessage!
Body: Dear Customer!

You`ve got 1 VoiceMessage from voicemessage.com website!
Sender:
You can listen your Virtual VoiceMessage at the following link:
http://virt.voicemessage.com/index.listen.php2=35affv
or by clicking the attached link.

Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).

Attachment: link.voicemessage.com.listen.index.php1Ab2c.pif



Subject: Tessek mosolyogni!!!
Body: Ha ez a kép sem tud felviditani, akkor feladom!

Sok puszi:

Attachment: meztelen csajok fociznak.flash.jpg.pif



Subject: Soxor Csok!
Body: Szia!

Aranyos vagy, jó volt dumcsizni veled a neten!
Remélem tetszem, és szeretném ha te is küldenél képet
magadról, addig is csók:

Attachment: anita.image043.jpg.pif



Subject: Don`t worry, be happy!
Body: Hi Honey!

I`m in hurry, but i still love ya...
(as you can see on the picture)

Bye - Bye:

Attachment: www.ecard.com.funny.picture.index.nude.php356.pif



Subject: Check this out kid!!!
Body: Send me back bro, when you`ll be done...(if you know what i mean...)

See ya,

Attachment: jennifer the wild girl xxx07.jpg.pif




Once the attachment has been executed, the virus will do the following:

1. Creates mutex _Hazafibb

2. Prevents execution of the processes containing: regedit, msconfig, task, (eg: regedit, taskman, taskmon, mstask, msconfig)

3. Deletes the following files from Windows folder: fvprotect.exe winlogon.exe services.exe jammer2nd.exe

4. Checks if the computer is connected to the internet by attempting to contact google.com or microsoft.com

5. Searches for e-mail addresses in files matching: htm,wab,txt,dbx,tbb,asp,php,sht,adb,mbx,eml,pmr

6. Avoids e-mail addresses containing: win, use, info, help, admi, webm, micro, msn, hotm, suppor, syma, vir, trend, panda, yaho, cafee, sopho, google, kasper, msn, office, nero, icq, game, winra, winzi, divx, movie, total, wina

7. Stores found e-mail addresses in random named dll files in %SYSTEM% folder

8. Creates registry key and entries:

[HKEY_LOCAL_MACHINE\Software\Microsoft\_Hazafibb]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"_Hazafibb"="%SYSTEM%\%random%.exe"]

9. Uses it's own SMTP engine to send itself to harvested e-mails. Attempts to obtain a smtp server address by adding smtp. or mx. etc to the domain from the harvested address or uses a default smtp address.

10. Creates copies of the virus in folders containing "share" or "upload" as winamp 7.0 full_install.exe and/or Total Commander 7.0 full_install.exe

11. Creates a thread that attempts to flood: www.parlament.hu, www.virusbuster.hu, www.virushirado.hu, www.2f.hu

12. May create files C:\SYS.TXT and _upload.exe

13. The virus contains the following string:

A hajlektalanok elhelyezeset, a bunteto torvenyek szigoritasat, es a HALALBUNTETES MEGSZAVAZASAT koveteljuk a kormanytol, a novekvo bunozes ellen!2004, jun, Pecs,(SNAF Team).