NUEVO VIRUS ZAFI.B DE ENVIO MASIVO Y ALTA PROPAGACION

Cerrado
Avatar de Usuario
msc hotline sat
Mensajes: 93500
Registrado: 09 Mar 2004, 20:39
Ubicación: BARCELONA (ESPAÑA)
Contactar:

NUEVO VIRUS ZAFI.B DE ENVIO MASIVO Y ALTA PROPAGACION

Mensaje por msc hotline sat » 14 Jun 2004, 13:58

Estamos recibiendo esta mañana bastantes incidencias de usuarios infectados con nuevo virus que ha resultado ser el ZAFI.B, el cual está subiendo de riesgo por momentos, tanto es así que McAfee ha adelantado la edicion de los DATS 4366 que lo controlan y que en este momento ya están disponibles.



La descripcion de McAfee al respecto del ZAFI.B es:

__________________________________________



Virus Name Risk Assessment

W32/Zafi.b@MM Corporate User : Medium

Home User : Medium







Virus Information

Discovery Date: 06/11/2004

Origin: Unknown

Length: 12,800 bytes

Type: Virus

SubType: Email

Minimum DAT: 4366 (06/14/2004)

Updated DAT: 4366 (06/14/2004)

Minimum Engine: 4.2.40

Description Added: 06/11/2004

Description Modified: 06/14/2004 3:02 AM (PT)

Description Menu

Virus Characteristics

Symptoms

Method Of Infection

Removal Instructions

Variants / Aliases

Rate This page

Print This Page

Email This Page

Legend







Virus Characteristics:

-- Update June 14th, 2004 03:01 PST --

The risk assessment of this threat has been raised to Medium due to increased prevalence.



--



-- Update June 14, 2004 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://times.hankooki.com/lpage/tech/200406/kt2004061320092511800.htm





This is a mass-mailing worm that constructs messages using its own SMTP engine, spoofing the From: address. It also attempts to propagate via P2P, via copying itself to folders on the local system (containing 'share' or 'upload' in the folder name).



Mail Propagation



The worm constructs messages using its own SMTP engine, spoofing the From: address.



The worm searches for email addresses on the local harddisk, harvesting addresses from files with the following extensions:



htm

wab

txt

dbx

tbb

asp

php

sht

adb

mbx

eml

pmr

Harvested addresses are stored in five files in the system32 folder using random names and the file extension .DLL





Example:

C:\WINNT\system32\kenbdplk.dll

C:\WINNT\system32\zibscdes.dll

C:\WINNT\system32\qfafsxoz.dll

C:\WINNT\system32\zhzukrhp.dll

C:\WINNT\system32\sdxsuwxt.dll





References to these files are stored within the following key, which is also created by the worm:



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\_Hazafibb

The worm avoids sending itself to certain email addresses, those containing any of the following strings:



admi

cafee

google

help

hotm

info

kasper

micro

msn

panda

sopho

suppor

syma

trend

use

vir

webm

win

yaho

The worm sends itself out in different languages. Below are some of the formats. The email "From" email address is spoofed. The mail server to use is concatenated using various strings in the virus body. (Eg: fmx1.domain.hu)



To: anita

Subject: Ingyen SMS!

Attachment: "regiszt.php?3124freesms.index777.pif"

Body:

------------------------ hirdet=E9s ----------------------------- A sikeres 777sms.hu =E9s az axelero.hu t=E1mogat=E1s=E1val =FAjra indul az ingyenes sms k=FCld=F5 szolg=E1ltat=E1s! Jelenleg ugyan korl=E1tozott sz=E1mban, napi 20 ingyen smst lehet felhaszn=E1lni. K=FCldj te is SMST! Neh=E1ny kattint=E1s =E9s a mell=E9kelt regisztr=E1ci=F3s lap kit=F6lt=E9se ut=E1n azonnal ig=E9nybevehet=F5! B=F5vebb inform=E1ci=F3t a http://www.777sms.hu oldalon tal=E1lsz, de siess, mert az els=F5 ezer felhaszn=E1l=F3 k=F6z=F6tt =E9rt=E9kes nyerem=E9nyeket sorsolunk ki! ------------------------ axelero.hu ---------------------------



To: claudia

Subject: Importante!

Attachment: "link.informacion.phpV23.text.message.pif"

Body:

Informacion importante que debes conocer, -



To: katya

Subject: Katya

Attachment: "view.link.index.image.phpV23.sexHdg21.pif"



To: eva

Subject: E-Kort!

Attachment: "link.ekort.index.phpV7ab4.kort.pif"

Body:

Mit hjerte banker for dig!



To: marica

Subject: Ecard!

Attachment: "link.showcard.index.phpAv23.ritm.pif"

Body:

De cand te-am cunoscut inima mea are un nou ritm!



To: anna

Subject: E-vykort!

Attachment: "link.vykort.showcard.index.phpBn23.pif"

Body:

Till min Alskade...



To: erica

Subject: E-Postkort!

Attachment: "link.postkort.showcard.index.phpAe67.pif"

Body:

Vakre roser jeg sammenligner med deg...



To: katarina

Subject: E-postikorti!

Attachment: "link.postikorti.showcard.index.phpGz42.pif"

Body:

Iloista kesaa!



To: magdolina

Subject: Atviruka!

Attachment: "link.atviruka.showcard.index.phpGz42.pif"

Body:

Linksmo gimtadieno! ha



To: beate

Subject: E-Kartki!

Attachment: "link.kartki.showcard.index.phpVg42.pif"

Body:

W Dniu imienin...



To:

Subject: Cartoe Virtuais!

Attachment: "link.cartoe.viewcard.index.phpYj39.pif"

Body:

Content: Te amo... ,



To: alice

Subject: Flashcard fuer Dich!

Attachment: "link.flashcard.de.viewcard34.php.2672aB.pif"

Body:

Hallo! hat dir eine elektronische Flashcard geschickt. Um die Flashcard ansehen zu koennen, benutze in deinem Browser einfach den nun folgenden link: http://flashcard.de/interaktiv/viewcards/view.php3?card=267BSwr34 Viel Spass beim Lesen wuenscht Ihnen ihr...



To: eva

Subject: Er staat een eCard voor u klaar!

Attachment: "postkaarten.nl.link.viewcard.index.phpG4a62.pif"

Body:

Hallo! heeft u een eCard gestuurd via de website nederlandse taal in het basisonderwijs... U kunt de kaart ophalen door de volgende url aan te klikken of te kopiren in uw browser link: http://postkaarten.nl/viewcard.show53.index=04abD1 Met vriendelijke groet, De redactie taalsite primair onderwijs...



To: hanka

Subject: Elektronicka pohlednice!

Attachment: "link.seznam.cz.pohlednice.index.php2Avf3.pif"

Body:

Ahoj! Elektronick pohlednice ze serveru http://www.seznam.cz -



To: claudine

Subject: E-carte!

Attachment: "link.zdnet.fr.ecarte.index.php34b31.pif"

Body:

vous a envoye une E-carte partir du site zdnet.fr Vous la trouverez, l'adresse suivante link: http://zdnet.fr/showcard.index.php34bs42 http://www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web en 5 minutes, du dialogue en direct...



To: francesca

Subject: Ti e stata inviata una Cartolina Virtuale!

Attachment: "link.cartoline.it.viewcard.index.4g345a.pif"

Body:

Ciao! ha visitato il nostro sito, cartolina.it e ha creato una cartolina virtuale per te! Per vederla devi fare click sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a Attenzione, la cartolina sara visibile sui nostri server per 2 giorni e poi verra rimossa automaticamente.



To: jennifer

Subject: You`ve got 1 VoiceMessage!

Attachment: "link.voicemessage.com.listen.index.php1Ab2c.pif"

Body:

Dear Customer! You`ve got 1 VoiceMessage from voicemessage.com website! Sender: You can listen your Virtual VoiceMessage at the following link: http://virt.voicemessage.com/index.listen.php2=35affv or by clicking the attached link. Send VoiceMessage! Try our new virtual VoiceMessage Empire! Best regards: SNAF.Team (R).



To: anita

Subject: Tessek mosolyogni!!!

Attachment: "meztelen csajok fociznak.flash.jpg.pif"

Body:

Ha ez a k=E9p sem tud felviditani, akkor feladom! Sok puszi:



To: anita

Subject: Soxor Csok!

Attachment: "anita.image043.jpg.pif"

Body:

Szia! Aranyos vagy, j=F3 volt dumcsizni veled a neten! Rem=E9lem tetszem, =E9s szeretn=E9m ha te is k=FClden=E9l k=E9pet magadr=F3l, addig is cs=F3k: )l@



To: jennifer

Subject: Don`t worry, be happy!

Attachment: "www.ecard.com.funny.picture.index.nude.php356.pif"

Body:

Hi Honey! I`m in hurry, but i still love ya... (as you can see on the picture) Bye - Bye:



To: david

Subject: Check this out kid!!!

Attachment: "jennifer the wild girl xxx07.jpg.pif"

Body:

Send me back bro, when you`ll be done...(if you know what i mean...) See ya,



P2P Propagation



The worm copies itself to directories on the C: drive containing one of the following strings:



share

upload

The filename the worm copies itself with is:



Total Commander 7.0 full_install.exe

winamp 7.0 full_install.exe

File overwriting payload



The worm searches for directories of anti-virus and personal firewall software, and then overwrites the executables in there with a copy of itself.



Process termination payload



In an attempt to thwart manual identification and cleaning of an infected machine, the worm will attempt to terminate processes containing any of the following strings:



regedit

msconfig

task





Top of Page



Symptoms

Installation



When executed, the worm copies itself twice to the %windir%\system32 folder using a random name and .EXE and .DLL extension.



Example:

C:\WINNT\system32\jrbtgmqi.exe

C:\WINNT\system32\enfrbatm.dll



It creates a registry key, so the file gets executed every time the machine starts:



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "_Hazafibb" = %windir%\System32\jrbtgmqi.exe

Other symptoms include:



Security software fails to work

Network traffic

System slowdown



__________________________________________



Estamos haciendo la utilidad ELIZAFIA.EXE que subiremos a esta web en breve (hoy mismo)



saludos



ms, 14-06-2004



.

Cerrado

Volver a “ALERTAS VIRICAS y utilidades de eliminacion”