Email-Worm:W32/Zafi.D

Classification

Category :

Malware

Type :

Email-Worm

Aliases :

W32/Zafi.D@mm, Email-Worm.Win32.Zafi.d

Summary

This type of worm is embedded in an email attachment, and spreads using the infected computer's emailing networks.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Email-Worm:W32/Zafi.D distributes copies of its worm code in an email file attachment. Unlike the first Zafi.A variant, Zafi.D uses email messages that are in English, Italian, Spanish, Russian, Swedish and several other languages.

The emails contain Christmas wish messages. The attachments are files that use PIF, CMD, BAT, COM or ZIP extensions. If executed, the worm can display a decoy message in a message box saying:

  • "Error in packed file!"

The worm code itself is in FSG! packed form 11745 bytes in size. The body unpacks to around 30 KiB of hand-written assembly code.

Infection

When Zafi.D is started it copies itself to the Windows System Directory with a random .DLL name and "Norton Update.exe". The .EXE file is added to the registry key

  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Wxp4" = "%System%\Norton Update.exe"

Zafi.D also creates a mutex named "Wxp4" to make sure only one copy of the worm is run at any one time.

Several additional files are created in the System Directory with random names and the .DLL extension. The worm keeps its internal data in those.Zafi.D enumerates all the directories in the system and copies itself to the ones that contain 'share', 'upload' or 'music' in their name, using the file names "winamp 5.7 new!.exe" or "ICQ 2005a new!.exe".

Payload

Zafi.D terminates any application that has the words 'firewall' or 'virus' in it. These files are overwritten with a copy of the worm.

Several Windows tools, like Task Manager, Registry Editor are disabled when the worm is active. Zafi.D opens these files with exclusive locking to prevent anything else from opening them.

Zafi.D has a backdoor that listens on port 8181. The worm can upload and execute file using the backdoor.

Propagation

Zafi.D looks into the Windows Address Book and different files and tries to gather all email addresses listed. Files with the following extensions are checked:

  • htm
  • wab
  • txt
  • dbx
  • tbb
  • asp
  • php
  • sht
  • adb
  • mbx
  • eml
  • pmr
  • fpt
  • inb

Using its own SMTP engine the worm sends messages to the harvested email addresses, with its infectious code attached. The messages can be n many different languages. It can use different SMTP relays for sending its messages depending on the language.

For email addresses in the following country domains, the worms sends messages in the respective country's language:

  • .hu - Hungarian
  • .sp
  • .ru - Russian
  • .dk - Danish
  • .ro - Românian
  • .se - Swedish
  • .no - Norwegian
  • .fi - Finnish
  • .lt - Lithuanian
  • .pl - Polish
  • .pt - Portuguese
  • .de - German
  • .nl - Dutch
  • cz - Czech
  • .fr - French
  • .it - Italian
  • .mx - Mexican
  • .at - Austrian
  • .es - Spanish

The message is a simple christmas wish. Following text is an example of english message:

Sender: Pamela M.
 
Subject: Merry Christmas!
 
Happy HollyDays!
 
:)[Sender]

The Sender name is used as a fallback if the email address doesn't have it.

Other language versions are as follows

Sender: T. Maria

Subject: boldog karacsony...

 
Kellemes Unnepeket!

:) 
[Sender] Sender: N. Fernandez

Subject: Feliz Navidad!Feliz Navidad!:) [Sender] 
Sender: V. Tatyana

Subject: ecard.ru:) [Sender]
Sender: V. Jensen
 
Subject: Christmas Kort!

Glaedelig Jul!:) [Sender] 
Sender: J. Andersson
 
Subject: Christmas Vykort!

God Jul!:)[Sender]Sender: M. Emma
 
Subject: Christmas Postkort!

God Jul!:)[Sender]Sender: M. Virtanen
 
Subject: Christmas postikorti!

Iloista Joulua!:)[Sender]Sender: C. Lina
 
Subject: Christmas Atviruka!

Naulieji Metai!:)[Sender]Sender: S. Ewa
 
Subject: Christmas - Kartki!

Wesolych Swiat!:)[Sender]Sender: H. Irene
 
Subject: Weihnachten card.

 Fröhliche Weihnachten!:)[Sender]Sender: R. Cornel
 
Subject: Prettige Kerstdagen!

Prettige Kerstdagen!:)[Sender]Sender: V. Dusan
 
Subject: Christmas pohlednice

Veselé Vánoce!:)[Sender]Sender: J. Martin
 
Subject: Joyeux Noel!

Joyeux Noel!:)[Sender]Sender: T. Antonio
 
Subject: Buon Natale!

Buon Natale!:)[Sender]
 

The worm includes a small visible gif attachement in the messages.

The actual worm attachment name is composed of several parts:

  • The word "postcard" in the respective language
  • Random numbers
  • Some of the extensions .pif, .cmd, .bat, .com or .zip.

Sometimes the filename can start with "link", "christmas" or "index".

The worm does not send emails to addresses that contain any of these strings:

  • yaho
  • google
  • win
  • use
  • info
  • help
  • admi
  • webm
  • micro
  • msn
  • hotm
  • suppor
  • syman
  • viru
  • trend
  • secur
  • panda
  • cafee
  • sopho
  • kasper