Nombre: Win32.Zafi.A@mm
Alias: W32.Erkez.A@mm, W32/Zafi-A, WORM_ZAFI.A
Tipo: Ejecutable Mensajero Masivo
Tamaño: 11,776
Descubierto: 19.04.2004
Detectado: 19.04.2004
Propagación: Baja
Peligrosidad: Baja
In The Wild:

Síntomas:

- Presence of the next files in %SYSTEM% folder:
7 files with random names, the name is composed of 8 random letters, six files with extension .dll and one with extension .exe
5 of the .dll files store e-mail addresses and are rather small in size (around 1 kbytes)
the 6th .dll file and the .exe file are copies of the virus, and have 11,776 bytes each

- Presence of the next registry keys or entries:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run\"%random1%"="%random2%.exe %random3%"]

where %random1% and %random2% are names formed from 8 random characters and %random3% is a random letter

[HKEY_LOCAL_MACHINE\Software\Microsoft\Hazafi]

with entries R1 to R9 and RA, containing information about the infected computer and the exact names of the 7 files (6 dll and 1 exe)

- Presence in memory of a process called Link

For example:

[HKEY_LOCAL_MACHINE\Software\Microsoft\

Windows\CurrentVersion\Run\"xqqnazkf"="%SYSTEM%\smnoynve.exe P"]

where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems.

Descripción técnica:

The virus arrives in an e-mail with the next format:

From: a spoofed e-mail address or the default kepeslapok@meglep.hu
Subject: kepeslap erkezett!
Body: may be one of the following:

Body1: Tisztelt felhasználó!

Body2: Önnek kópeslapja órkezett!

Body3: A kópeslap feladója: A lapot az alábbi cimen tudja megtekinteni:

Body4: http//matav.hu/viewcard/index=psp4uo5683535GSb0123fhhf578840f0623cv2

Body5: vagy a mellókelt internetlink kattintásával.

Body6: Üdvözlettel: Matav e-card!

Body7: http//www.netezz.matav.hu/

Attachment: link.matav.hu.viewcard.index42ADR4502HHJeTYWYJDF334GSDEv25546.com

Once run, the virus will do the following:

1. Checks if the date is 1 May 2004 and if it is, it displays the following message:

Emberek! Magyarok szazezrei, millioi elnek naprol - napra, halnak ehen - szomjan,
s szegenysegben hazankban! Mikozben jonehany felso parlamenti gazember
millios vagyonokra tesz szert, mitsem torodve velunk.
Latszat emberek iranyitanak, kik emelik fizetesunk, s ketszer annyi adot vonnak le,
kik igazsagszolgaltatasrol regelnek, mikor a bunozoket es a novekvo agressziot vedik
torvenyeikkel, kik inkabb Forma1-re pocsekoljak a penzt, mialatt hajlektalanok
halnak meg naponta utcainkon, s korhazi betegek szenvednek szukseges muszerek nelkul.
Hogy - hogy nem latja ezt senki ???? Miert nincs egy igaz magyar, ki vegre
mar nem sajat erdekeit, hanem az orszag sulyos problemait helyezne eloterbe!!!
Nem eleg akarni, s beszelni, meg szonoklatni a szepet,s jot,
tenni-tenni-tenni kell, egyarant mindenkinek - mindenkiert!

== HAZAFI == /Pecs,2004, (SNAF Team)/

2. Creates the aforementioned 7 random named files in %SYSTEM% folder

3. Creates the aforementioned registry keys

4. Checks if the computer is connected to the internet by attempting to contact google.com

5. Attempts to terminate the following processes:

zonalarm.exe
vbsntw.exe
vbcons.exe
pccguide.exe
outpost.exe
regedit.exe
regedit32.exe
navapw32.exe
pcciomon.exe
navdx.exe
navstub.exe
navw32.exe
nc2000.exe
ndd32.exe
netmon.exe
netarmor.exe
netinfo.exe
nmain.exe
nprotect.exe
ntvdm.exe
ostronet.exe
vsmain.exe
vsmon.exe
vsstat.exe
vbust.exe
mcagent.exe
fsav32.exe
fssm32.exe
fsm32.exe
fsbwsys.exe
fsgk32.exe
dfw.exe
tnbutil.exe
taskmgr.exe
winlogon.exe
fvprotect.exe

6. Searches for e-mails in files with the next extensions:

htm, wab, txt, dbx, tbb, asp, php, sht, adb, mbx, eml, pmr

and avoids searching in files with extensions:

lnk, swp, ico, dll, vxd, mp3, wav, avi, mpg, zip, rar, exe, wmv, cab, pk3, jpg, gif, bmp

and stores found e-mail addresses in 5 randomly named dll files in %SYSTEM% folder.

7. Opens Internet Explorer with a recent typed url

8. Uses it's own smtp engine to send itself to the harvested e-mail addresses, but avoiding sending to addresses containing:

microsoft
vir
trendmicro
avp
f-prot
hotmail
gov
anti
panda
norton