My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


11 KB
(W32/Zafi.d@MM, Email-Worm.Win32.Zafi.d,)


- Presence of the next files in %SYSTEM% folder:

Files with random names, the name is composed of 8 random letters, files with extension .dll and one with extension .exe: Norton Update.exe
Most of the .dll files store e-mail addresses and are rather small in size (around 1 kbytes)
a .dll file and the .exe file are copies of the virus, and have 11,745 bytes each

Regedit, Task Manager, Task Monitor don\'t work (they are disabled by the worm)

When run, the virus opens a fake error box with the text:

"Error in packed file!"

- Presence of the next registry keys or entries:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Wxp4"="%SYSTEM%\Norton Update.exe"]


with entries b? c? d?, containing information about the infected computer and the exact names of the exe and dll files; where ? may be any digit or capital letter (eg: b1, bA, cA, etc)

where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems.

Removal instructions:

- automatic removal: let BitDefender delete/disinfect files found infected.

Analyzed By

Mihai Neagu and Patrick Vicol

Technical Description:

The virus arrives via e-mail, in the following formats (for: .hu .de .nl .cz .fr .it .com .ru)

From: spoofed

Subject: one of:
Christmas Kort!
Christmas Vykort!
Christmas Postkort!
Christmas postikorti!
Christmas Atviruka!
Christmas - Kartki!
Weihnachten card.
Prettige Kerstdagen!
Christmas pohlednice

Body: a Christmas card with yellow stars and the following message at the bottom:

Picture Size: 11 KB, Mail: +OK

Once the attachment has been executed, the virus will do the following:

1. Creates the "Wxp4" mutex so as not to be run multiple times

2. Prevents execution of the processes containing: reged, msconfig, task, (eg: regedit, taskman, taskmon, mstask, msconfig)

3. Searches for e-mail addresses in files matching: htm,wab,txt,dbx,tbb,asp,php,sht,adb,mbx,eml,pmr,fpt,inb

4. Avoids e-mail addresses containing: yaho,google,win,use,info,help,admi,webm,micro,msn,hotm,suppor,syman,viru,trend,secur,panda,cafee,sopho,kasper

5. Stores found e-mail addresses in random named dll files in %SYSTEM% folder

6. Creates registry key and entries:


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Wxp4"="%SYSTEM%\Norton Update.exe"]

7. Uses it's own SMTP engine to send itself to harvested e-mails. Attempts to obtain a smtp server address by adding smtp. or mx. etc to the domain from the harvested address or uses a default smtp address.

8. Creates copies of the virus in folders containing "share", "upload" or "music, as "winamp 5.7 new!.exe" and/or "ICQ 2005a new!.exe"

9. May create file c:\