W32/Zafi.B Worm

 Information about the W32/Zafi.B worm:

W32/Zafi.B is a mass mailing worm. This worm infects Windows systems. The worm spreads through email, shared network drives and KaZaA P2P software.

The infected email carries a spoofed 'From' address, picked up from the infected system.

The infected mail's subject, contents and the infected attachment will be any one from the following sets;

Set 1
To: katya
Subject: Katya
Attachment: view.link.index.image.phpV23.sexHdg21.pif

Set 2
To: claudia
Subject: Importante!
Attachment: link.informacion.phpV23.text.message.pif
Body: Informacion importante que debes conocer, -

Set 3
To: eva
Subject: E-Kort!
Attachment: link.ekort.index.phpV7ab4.kort.pif
Body: Mit hjerte banker for dig!

Set 4
To: marica
Subject: Ecard!
Attachment: link.showcard.index.phpAv23.ritm.pif
Body: De cand te-am cunoscut inima mea are un nou ritm!

Set 5
To: anita
Subject: Ingyen SMS!
Attachment: regiszt.php?3124freesms.index777.pif
Body: ------------------------ hirdet=E9s ----------------------------- A sikeres 777sms.hu =E9s az axelero.hu t=E1mogat=E1s=E1val =FAjra indul az ingyenes sms k=FCld=F5 szolg=E1ltat=E1s! Jelenleg ugyan korl=E1tozott sz=E1mban, napi 20 ingyen smst lehet felhaszn=E1lni. K=FCldj te is SMST! Neh=E1ny kattint=E1s =E9s a mell=E9kelt regisztr=E1ci=F3s lap kit=F6lt=E9se ut=E1n azonnal ig=E9nybevehet=F5! B=F5vebb inform=E1ci=F3t a www.777sms.hu oldalon tal=E1lsz, de siess, mert az els=F5 ezer felhaszn=E1l=F3 k=F6z=F6tt =E9rt=E9kes nyerem=E9nyeket sorsolunk ki! ------------------------ axelero.hu ---------------------------

Set 6
To: erica
Subject: E-Postkort!
Attachment: link.postkort.showcard.index.phpAe67.pif
Body: Vakre roser jeg sammenligner med deg...

Set 7
To: anna
Subject: E-vykort!
Attachment: link.vykort.showcard.index.phpBn23.pif
Body: Till min Alskade...

Set 8
To: katarina
Subject: E-postikorti!
Attachment: link.postikorti.showcard.index.phpGz42.pif
Body: Iloista kesaa!

Set 9
To: magdolina
Subject: Atviruka!
Attachment: link.atviruka.showcard.index.phpGz42.pif
Body: Linksmo gimtadieno! ha

Set 10
To: beate
Subject: E-Kartki!
Attachment: link.kartki.showcard.index.phpVg42.pif
Body: W Dniu imienin...

Set 11
To: alice
Subject: Flashcard fuer Dich!
Attachment: link.flashcard.de.viewcard34.php.2672aB.pif
Body: Hallo! hat dir eine elektronische Flashcard geschickt. Um die Flashcard ansehen zu koennen, benutze in deinem Browser einfach den nun folgenden link: http://flashcard.de/interaktiv/viewcards/view.php3?card=267BSwr34 Viel Spass beim Lesen wuenscht Ihnen ihr...

Set 12
To: eva
Subject: Er staat een eCard voor u klaar!
Attachment: postkaarten.nl.link.viewcard.index.phpG4a62.pif
Body: Hallo! heeft u een eCard gestuurd via de website nederlandse taal in het basisonderwijs... U kunt de kaart ophalen door de volgende url aan te klikken of te kopiren in uw browser link: http://postkaarten.nl/viewcard.show53.index=04abD1 Met vriendelijke groet, De redactie taalsite primair onderwijs...

Set 13
To: hanka
Subject: Elektronicka pohlednice!
Attachment: link.seznam.cz.pohlednice.index.php2Avf3.pif
Body: Ahoj! Elektronick pohlednice ze serveru http://www.seznam.cz -

Set 14
To: francesca
Subject: Ti e stata inviata una Cartolina Virtuale!
Attachment: link.cartoline.it.viewcard.index.4g345a.pif
Body: Ciao! ha visitato il nostro sito, cartolina.it e ha creato una cartolina virtuale per te! Per vederla devi fare click sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a Attenzione, la cartolina sara visibile sui nostri server per 2 giorni e poi verra rimossa automaticamente.

Set 15
To: claudine
Subject: E-carte!
Attachment: link.zdnet.fr.ecarte.index.php34b31.pif
Body: vous a envoye une E-carte partir du site zdnet.fr Vous la trouverez, l'adresse suivante link: http://zdnet.fr/showcard.index.php34bs42 www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web en 5 minutes, du dialogue en direct...

Set 16
To: jennifer
Subject: You`ve got 1 VoiceMessage!
Attachment: link.voicemessage.com.listen.index.php1Ab2c.pif
Body: Dear Customer! You`ve got 1 VoiceMessage from voicemessage.com website! Sender: You can listen your Virtual VoiceMessage at the following link: http://virt.voicemessage.com/index.listen.php2=35affv or by clicking the attached link. Send VoiceMessage! Try our new virtual VoiceMessage Empire! Best regards: SNAF.Team (R).

Set 17
To: anita
Subject: Tessek mosolyogni!!!
Attachment: meztelen csajok fociznak.flash.jpg.pif
Body: Ha ez a k=E9p sem tud felviditani, akkor feladom! Sok puszi:

Set 18
To: anita
Subject: Soxor Csok!
Attachment: anita.image043.jpg.pif
Body: Szia! Aranyos vagy, j=F3 volt dumcsizni veled a neten! Rem=E9lem tetszem, =E9s szeretn=E9m ha te is k=FClden=E9l k=E9pet magadr=F3l, addig is cs=F3k: )l@

Set 19
To: david
Subject: Check this out kid!!!
Attachment: jennifer the wild girl xxx07.jpg.pif
Body: Send me back bro, when you`ll be done...(if you know what i mean...) See ya,

Set 20
To: jennifer
Subject: Don`t worry, be happy!
Attachment: www.ecard.com.funny.picture.index.nude.php356.pif
Body: Hi Honey! I`m in hurry, but i still love ya... (as you can see on the picture) Bye - Bye:

The infected attachment also arrives with a random filename and file extension as .exe or .com.

Upon execution of the infected attachment the worm copies itself with a random file name with .exe and .dll extension to Windows System folder. It copies itself to shared folders in the C drive.

It modifies the registry at the following location to load itself during the next startup.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

The worm scans and collects email addresses from all the files found in the infected computer having the following extensions;

.wab, .txt, .htm, .sht, .tbb, .eml, .adb, .asp, .php, .mbx, .dbx and .pmr .

The worm stores all the email address in five files under the Windows System folder. The name of these files will be random with a .dll extension

The worm tries to connect to www.google.com and www.microsoft.com to check the Internet connectivity.The worm mails itself to these addresses using its own SMTP engine. The worm also overwrites the executable files of various antivirus and security related software.

This worm first appeared on June 10, 2004.

 Other names of W32/Zafi.B Worm:

This worm is also known as W32/Zafi.b@MM, W32.Erkez.B@mm, W32/Zafi-B.