Win32.Zafi.B@mm( I-Worm.Zafi.B, Win32/Zafi.B worm )
SYMPTOMS: - Presence of the next files in %SYSTEM% folder:files with random names, the name is composed of 8 random letters, files with extension .dll and one with extension .exe most of the .dll files store e-mail addresses and are rather small in size (around 1 kbytes) a .dll file and the .exe file are copies of the virus, and have 12,800 bytes each Regedit, Task Manager, Task Monitor don't work Presence in memory of a process called "link" When run, the virus opens Internet Explorer with a recently typed url - Presence of the next registry keys or entries: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"_Hazafibb"="%SYSTEM%\%random%.exe"] where %random% is a name formed from 8 random characters [HKEY_LOCAL_MACHINE\Software\Microsoft\_Hazafibb] with entries b? c? d?, containing information about the infected computer and the exact names of the exe and dll files; where ? may be any digit or capital letter (eg: b1, bA, cA, etc) where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems) %SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems. TECHNICAL DESCRIPTION: The virus arrives via e-mail, in the following formats (for: .hu .sp .ru .dk .ro .se .se .no .fi .lt .pl .pt .de .nl .cz .fr .it)The From: field is spoofed Subject: eIngyen SMS! Body: ------------------------ hirdetés ----------------------------- A sikeres 777sms.hu és az axelero.hu támogatásával újra indul az ingyenes sms küldõ szolgáltatás! Jelenleg ugyan korlátozott számban, napi 20 ingyen smst lehet felhasználni. Küldj te is SMST! Nehány kattintás és a mellékelt regisztrációs lap kitöltése után azonnal igénybevehetõ! Bõvebb információt a www.777sms.hu oldalon találsz, de siess, mert az elsõ ezer felhasználó között értékes nyereményeket sorsolunk ki! ------------------------ axelero.hu --------------------------- Attachment: regiszt.php?3124freesms.index777.pif Subject: Importante! Body: Informacion importante que debes conocer, - Attachment: link.informacion.phpV23.text.message.pif Subject: E-Kort! Body: Mit hjerte banker for dig! Attachment: link.ekort.index.phpV7ab4.kort.pif Subject: Ecard! Body: De cand te-am cunoscut inima mea are un nou ritm! Attachment: link.showcard.index.phpAv23.ritm.pif Subject: E-vykort! Body: Till min Alskade... Attachment: link.vykort.showcard.index.phpBn23.pif Subject: E-Postkort! Body: Vakre roser jeg sammenligner med deg... Attachment: link.postkort.showcard.index.phpAe67.pif Subject: E-postikorti! Body: Iloista kesaa! Attachment: link.postikorti.showcard.index.phpGz42.pif Subject: Atviruka! Body: Linksmo gimtadieno! Attachment: link.atviruka.showcard.index.phpGz42.pif Subject: E-Kartki! Body: W Dniu imienin... Attachment: link.kartki.showcard.index.phpVg42.pif Subject: Cartoe Virtuais! Body: Te amo... Attachment: link.cartoe.viewcard.index.phpYj39.pif Subject: Flashcard fuer Dich! Body: Hallo! hat dir eine elektronische Flashcard geschickt. Um die Flashcard ansehen zu koennen, benutze in deinem Browser einfach den nun folgenden link: http://flashcard.de/interaktiv/viewcards/view.php3?card=267BSwr34 Viel Spass beim Lesen wuenscht Ihnen ihr... Attachment: link.flashcard.de.viewcard34.php.2672aB.pif Subject: Er staat een eCard voor u klaar! Body: Hallo! heeft u een eCard gestuurd via de website nederlandse taal in het basisonderwijs... U kunt de kaart ophalen door de volgende url aan te klikken of te kopiren in uw browser link: http://postkaarten.nl/viewcard.show53.index=04abD1 Met vriendelijke groet, De redactie taalsite primair onderwijs... Attachment: postkaarten.nl.link.viewcard.index.phpG4a62.pif Subject: Elektronicka pohlednice! Body: Ahoj! Elektronick pohlednice ze serveru http://www.seznam.cz Attachment: link.seznam.cz.pohlednice.index.php2Avf3.pif Subject: E-carte! Body: vous a envoye une E-carte partir du site zdnet.fr Vous la trouverez, l\'adresse suivante link: http://zdnet.fr/showcard.index.php34bs42 www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web en 5 minutes, du dialogue en direct... Attachment: link.zdnet.fr.ecarte.index.php34b31.pif Subject: Ti e stata inviata una Cartolina Virtuale! Body: Ciao! ha visitato il nostro sito, cartolina.it e ha creato una cartolina virtuale per te! Per vederla devi fare click sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a Attenzione, la cartolina sara visibile sui nostri server per 2 giorni e poi verra rimossa automaticamente. Attachment: link.cartoline.it.viewcard.index.4g345a.pif Subject: You`ve got 1 VoiceMessage! Body: Dear Customer! You`ve got 1 VoiceMessage from voicemessage.com website! Sender: You can listen your Virtual VoiceMessage at the following link: http://virt.voicemessage.com/index.listen.php2=35affv or by clicking the attached link. Send VoiceMessage! Try our new virtual VoiceMessage Empire! Best regards: SNAF.Team (R). Attachment: link.voicemessage.com.listen.index.php1Ab2c.pif Subject: Tessek mosolyogni!!! Body: Ha ez a kép sem tud felviditani, akkor feladom! Sok puszi: Attachment: meztelen csajok fociznak.flash.jpg.pif Subject: Soxor Csok! Body: Szia! Aranyos vagy, jó volt dumcsizni veled a neten! Remélem tetszem, és szeretném ha te is küldenél képet magadról, addig is csók: Attachment: anita.image043.jpg.pif Subject: Don`t worry, be happy! Body: Hi Honey! I`m in hurry, but i still love ya... (as you can see on the picture) Bye - Bye: Attachment: www.ecard.com.funny.picture.index.nude.php356.pif Subject: Check this out kid!!! Body: Send me back bro, when you`ll be done...(if you know what i mean...) See ya, Attachment: jennifer the wild girl xxx07.jpg.pif Once the attachment has been executed, the virus will do the following: 1. Creates mutex _Hazafibb 2. Prevents execution of the processes containing: regedit, msconfig, task, (eg: regedit, taskman, taskmon, mstask, msconfig) 3. Deletes the following files from Windows folder: fvprotect.exe winlogon.exe services.exe jammer2nd.exe 4. Checks if the computer is connected to the internet by attempting to contact google.com or microsoft.com 5. Searches for e-mail addresses in files matching: htm,wab,txt,dbx,tbb,asp,php,sht,adb,mbx,eml,pmr 6. Avoids e-mail addresses containing: win, use, info, help, admi, webm, micro, msn, hotm, suppor, syma, vir, trend, panda, yaho, cafee, sopho, google, kasper, msn, office, nero, icq, game, winra, winzi, divx, movie, total, wina 7. Stores found e-mail addresses in random named dll files in %SYSTEM% folder 8. Creates registry key and entries: [HKEY_LOCAL_MACHINE\Software\Microsoft\_Hazafibb] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"_Hazafibb"="%SYSTEM%\%random%.exe"] 9. Uses it's own SMTP engine to send itself to harvested e-mails. Attempts to obtain a smtp server address by adding smtp. or mx. etc to the domain from the harvested address or uses a default smtp address. 10. Creates copies of the virus in folders containing "share" or "upload" as winamp 7.0 full_install.exe and/or Total Commander 7.0 full_install.exe 11. Creates a thread that attempts to flood: www.parlament.hu, www.virusbuster.hu, www.virushirado.hu, www.2f.hu 12. May create files C:\SYS.TXT and _upload.exe 13. The virus contains the following string: A hajlektalanok elhelyezeset, a bunteto torvenyek szigoritasat, es a HALALBUNTETES MEGSZAVAZASAT koveteljuk a kormanytol, a novekvo bunozes ellen!2004, jun, Pecs,(SNAF Team). Removal instructions: - automatic removal: let BitDefender delete/disinfect files found infected.ANALYZED BY: Patrik Vicol BitDefender Virus Researcher |
