__________________________________________
Internet Worm Name Risk Assessment
W32/Zafi@MM Corporate User : Low
Home User : Low
Internet Worm Information
Discovery Date: 04/19/2004
Origin: Hungary
Length: 11776 bytes
Type: Internet Worm
SubType: E-mail
Minimum DAT: 4352 (04/21/2004)
Updated DAT: 4352 (04/21/2004)
Minimum Engine: 4.2.40
Description Added: 04/19/2004
Description Modified: 04/19/2004 7:09 AM (PT)
Description Menu
Internet Worm Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Internet Worm Characteristics:
This threat is proactive detected, by 4250 DATs and 4.3.20 engine with 'program heuristics' enabled, as 'New Malware.b'.
When executed, the worm copies itself twice to the %windir%\system32 folder using a random name and .EXE and .DLL extension.
Example:
C:\WINNT\system32\bawtsuoc.exe
C:\WINNT\system32\ylhefsko.dll
It creates a registry key, so the file gets executed every time the machine starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
"xqmguqdx" = C:\WINDOWS\System32\bawtsuoc.exe I3
Than it starts searching the for email addresses on the local harddisk and stores the harvested addresses in five files in the system32 folder using random names and the fileextension .DLL
Example:
C:\WINNT\system32\dnszokke.dll
C:\WINNT\system32\eajgrjic.dll
C:\WINNT\system32\jgehkgju.dll
C:\WINNT\system32\vipmcylx.dll
C:\WINNT\system32\wthrwhbu.dll
References to these files are stored within the following key, which is also created by the worm:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hazafi
The worm monitors the processlist and terminates programs with these filenames:
dfw.exe
fsav32.exe
fsbwsys.exe
fsgk32.exe
fsm32.exe
fssm32.exe
fvprotect.exe
mcagent.exe
navapw32.exe
navdx.exe
navstub.exe
navw32.exe
nc2000.exe
ndd32.exe
netarmor.exe
netinfo.exe
netmon.exe
nmain.exe
nprotect.exe
ntvdm.exe
ostronet.exe
outpost.exe
pccguide.exe
pcciomon.exe
regedit.exe
regedit32.exe
taskmgr.exe
tnbutil.exe
vbcons.exe
vbsntw.exe
vbust.exe
vsmain.exe
vsmon.exe
vsstat.exe
winlogon.exe
zonalarm.exe
Top of Page
Symptoms
Existance of files and registry keys as mentioned above.
Process termination
Network traffic
Top of Page
Method Of Infection
This worm does not use any exploit code in order to execute the mail attachment automatically. A user has to doubleclick on an infected attachment to infected the machine.
Top of Page
Removal Instructions
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
__________________________________________
La actualizacion del indicado motor 4.3.20 se puede conseguir bajando y ejecutando el 4320ENG.EXE, para los que tengan instalado el anterior motor 4.2.60:
Aparte, cpon los proximos DATS 4352 se controlará sin necesidad de la deteccion proheuristica conseguida con el nuevo motor.
Al respecto de este nuevo avance de mcAfee, cabe adelantar que ya nos han anunciado el lanzamiento de la version 8.I (I de Intrusion) ENTERPRISE con tecnologica IPS (INTRUSION PREVENTION SYSTEM) y que aparecerá a finakes de Julio próximo.
Conviene pues la implementacion de este nuevo motor.
saludos
ms, 19-04-2004
msc hotline sat Virus Research Engineer