La descripcion de McAfee al respecto del ZAFI.B es:
__________________________________________
Virus Name Risk Assessment
W32/Zafi.b@MM Corporate User : Medium
Home User : Medium
Virus Information
Discovery Date: 06/11/2004
Origin: Unknown
Length: 12,800 bytes
Type: Virus
SubType: Email
Minimum DAT: 4366 (06/14/2004)
Updated DAT: 4366 (06/14/2004)
Minimum Engine: 4.2.40
Description Added: 06/11/2004
Description Modified: 06/14/2004 3:02 AM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics:
-- Update June 14th, 2004 03:01 PST --
The risk assessment of this threat has been raised to Medium due to increased prevalence.
--
-- Update June 14, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
This is a mass-mailing worm that constructs messages using its own SMTP engine, spoofing the From: address. It also attempts to propagate via P2P, via copying itself to folders on the local system (containing 'share' or 'upload' in the folder name).
Mail Propagation
The worm constructs messages using its own SMTP engine, spoofing the From: address.
The worm searches for email addresses on the local harddisk, harvesting addresses from files with the following extensions:
htm
wab
txt
dbx
tbb
asp
php
sht
adb
mbx
eml
pmr
Harvested addresses are stored in five files in the system32 folder using random names and the file extension .DLL
Example:
C:\WINNT\system32\kenbdplk.dll
C:\WINNT\system32\zibscdes.dll
C:\WINNT\system32\qfafsxoz.dll
C:\WINNT\system32\zhzukrhp.dll
C:\WINNT\system32\sdxsuwxt.dll
References to these files are stored within the following key, which is also created by the worm:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\_Hazafibb
The worm avoids sending itself to certain email addresses, those containing any of the following strings:
admi
cafee
help
hotm
info
kasper
micro
msn
panda
sopho
suppor
syma
trend
use
vir
webm
win
yaho
The worm sends itself out in different languages. Below are some of the formats. The email "From" email address is spoofed. The mail server to use is concatenated using various strings in the virus body. (Eg: fmx1.domain.hu)
To: anita
Subject: Ingyen SMS!
Attachment: "regiszt.php?3124freesms.index777.pif"
Body:
------------------------ hirdet=E9s ----------------------------- A sikeres 777sms.hu =E9s az axelero.hu t=E1mogat=E1s=E1val =FAjra indul az ingyenes sms k=FCld=F5 szolg=E1ltat=E1s! Jelenleg ugyan korl=E1tozott sz=E1mban, napi 20 ingyen smst lehet felhaszn=E1lni. K=FCldj te is SMST! Neh=E1ny kattint=E1s =E9s a mell=E9kelt regisztr=E1ci=F3s lap kit=F6lt=E9se ut=E1n azonnal ig=E9nybevehet=F5! B=F5vebb inform=E1ci=F3t a
To: claudia
Subject: Importante!
Attachment: "link.informacion.phpV23.text.message.pif"
Body:
Informacion importante que debes conocer, -
To: katya
Subject: Katya
Attachment: "view.link.index.image.phpV23.sexHdg21.pif"
To: eva
Subject: E-Kort!
Attachment: "link.ekort.index.phpV7ab4.kort.pif"
Body:
Mit hjerte banker for dig!
To: marica
Subject: Ecard!
Attachment: "link.showcard.index.phpAv23.ritm.pif"
Body:
De cand te-am cunoscut inima mea are un nou ritm!
To: anna
Subject: E-vykort!
Attachment: "link.vykort.showcard.index.phpBn23.pif"
Body:
Till min Alskade...
To: erica
Subject: E-Postkort!
Attachment: "link.postkort.showcard.index.phpAe67.pif"
Body:
Vakre roser jeg sammenligner med deg...
To: katarina
Subject: E-postikorti!
Attachment: "link.postikorti.showcard.index.phpGz42.pif"
Body:
Iloista kesaa!
To: magdolina
Subject: Atviruka!
Attachment: "link.atviruka.showcard.index.phpGz42.pif"
Body:
Linksmo gimtadieno! ha
To: beate
Subject: E-Kartki!
Attachment: "link.kartki.showcard.index.phpVg42.pif"
Body:
W Dniu imienin...
To:
Subject: Cartoe Virtuais!
Attachment: "link.cartoe.viewcard.index.phpYj39.pif"
Body:
Content: Te amo... ,
To: alice
Subject: Flashcard fuer Dich!
Attachment: "link.flashcard.de.viewcard34.php.2672aB.pif"
Body:
Hallo! hat dir eine elektronische Flashcard geschickt. Um die Flashcard ansehen zu koennen, benutze in deinem Browser einfach den nun folgenden link:
To: eva
Subject: Er staat een eCard voor u klaar!
Attachment: "postkaarten.nl.link.viewcard.index.phpG4a62.pif"
Body:
Hallo! heeft u een eCard gestuurd via de website nederlandse taal in het basisonderwijs... U kunt de kaart ophalen door de volgende url aan te klikken of te kopiren in uw browser link:
To: hanka
Subject: Elektronicka pohlednice!
Attachment: "link.seznam.cz.pohlednice.index.php2Avf3.pif"
Body:
Ahoj! Elektronick pohlednice ze serveru
To: claudine
Subject: E-carte!
Attachment: "link.zdnet.fr.ecarte.index.php34b31.pif"
Body:
vous a envoye une E-carte partir du site zdnet.fr Vous la trouverez, l'adresse suivante link:
To: francesca
Subject: Ti e stata inviata una Cartolina Virtuale!
Attachment: "link.cartoline.it.viewcard.index.4g345a.pif"
Body:
Ciao! ha visitato il nostro sito, cartolina.it e ha creato una cartolina virtuale per te! Per vederla devi fare click sul link sottostante:
To: jennifer
Subject: You`ve got 1 VoiceMessage!
Attachment: "link.voicemessage.com.listen.index.php1Ab2c.pif"
Body:
Dear Customer! You`ve got 1 VoiceMessage from voicemessage.com website! Sender: You can listen your Virtual VoiceMessage at the following link:
To: anita
Subject: Tessek mosolyogni!!!
Attachment: "meztelen csajok fociznak.flash.jpg.pif"
Body:
Ha ez a k=E9p sem tud felviditani, akkor feladom! Sok puszi:
To: anita
Subject: Soxor Csok!
Attachment: "anita.image043.jpg.pif"
Body:
Szia! Aranyos vagy, j=F3 volt dumcsizni veled a neten! Rem=E9lem tetszem, =E9s szeretn=E9m ha te is k=FClden=E9l k=E9pet magadr=F3l, addig is cs=F3k: )l@
To: jennifer
Subject: Don`t worry, be happy!
Attachment: "
Body:
Hi Honey! I`m in hurry, but i still love ya... (as you can see on the picture) Bye - Bye:
To: david
Subject: Check this out kid!!!
Attachment: "jennifer the wild girl xxx07.jpg.pif"
Body:
Send me back bro, when you`ll be done...(if you know what i mean...) See ya,
P2P Propagation
The worm copies itself to directories on the C: drive containing one of the following strings:
share
upload
The filename the worm copies itself with is:
Total Commander 7.0 full_install.exe
winamp 7.0 full_install.exe
File overwriting payload
The worm searches for directories of anti-virus and personal firewall software, and then overwrites the executables in there with a copy of itself.
Process termination payload
In an attempt to thwart manual identification and cleaning of an infected machine, the worm will attempt to terminate processes containing any of the following strings:
regedit
msconfig
task
Top of Page
Symptoms
Installation
When executed, the worm copies itself twice to the %windir%\system32 folder using a random name and .EXE and .DLL extension.
Example:
C:\WINNT\system32\jrbtgmqi.exe
C:\WINNT\system32\enfrbatm.dll
It creates a registry key, so the file gets executed every time the machine starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "_Hazafibb" = %windir%\System32\jrbtgmqi.exe
Other symptoms include:
Security software fails to work
Network traffic
System slowdown
__________________________________________
Estamos haciendo la utilidad ELIZAFIA.EXE que subiremos a esta web en breve (hoy mismo)
saludos
ms, 14-06-2004
.