W32/Zafi.D Worm

Subscribe to Virus Alert
Mailing List

Enter your Email
(Ex : john@company.com)

W32/Zafi.D Worm

Information about the W32/Zafi.D Worm:

W32/Zafi.D is an email worm. The worm will infect Windows systems. The worm spreads through email, KaZaA P2P software and network.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be anyone of the following:

Merry Christmas!
Christmas Kort!
Christmas Vykort!
Christmas Postkort!
Christmas postikorti!
Christmas - Kartki!
Buon Natale!
Weihnachten card.
Prettige Kerstdagen!
Christmas pohlednice
Joyeux Noel!
boldog karacsony...
Feliz Navidad!
ecard.ru
Re: Christmas - Kartki!
Re: Buon Natale
Re: boldog karacsony...
Re: Merry Chrsitmas!
Re: Christmas postikorti!
Re: Joyeux Noel!
Re: Feliz Navidad!
Re: Christmas Vykort!
Re: Christmas Postkort!
Re: Christmas pohlednice
Re: Christmas Kort!
Re: Weihnachten card.
Re: Prettige Kerstdagen!
Re: Christmas Atviruka!

The body of the infected mail will be anyone of the following:

*Happy Hollydays!*
:) <%Name%>

* .... .... *
:) <%Name%>

Natale!
:) <%Name%>

Joyeux Noel!
:) <%Name%>

Vesel noce!
:) <%Name%>

Prettige Kerstdagen!
:) <%Name%>

Hliche weihnachten!
:) <%Name%>e

Wesolych Swiat!
:) <%Name%>a

Naujieji Metai!
:) <%Name%>a

Iloista Joulua!
:) <%Name%>n

Christmas Vykort!
:) <%Name%>

Christmas Postkort!
:) <%Name%>

Feliz Navidad!
:) <%Name%>

The name of the infected attachment will be any one of the following:

postcard.christmas.index.htm????
link.postcard.index.htm????
link.postcard.christmas.index.php????
postcard.christmas.index.jpg????
weihnachten
pohlednice
navidad
kerstdagen
vykort
postkort
postikorti
kartki
atviruka
karacsony
ekort
ecarte
cartoline

The infected attachment may contain a double extension and the second extension can be any one of the following:

.zip, .bat, .cmd, .pif, .com

Upon execution, the worm copies itself as Norton Update.exe in the Windows System folder.

It alters the windows registry at the following location to load itself during next startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

To propagate itself, the worm scans the files having the following extensions and collects all the available email addresses from the infected system:

htm, wab, txt, dbx, tbb, asp, php, sht, adb, mbx, eml, pmr, fpt, inb

The collected addresses are stored in five files in the SYSTEM32 folder using random names with the file extension .dll.

After this the worm mails itself to these addresses using its own SMTP engine.

The worm also tries to terminate antivirus and security related software.

This worm first appeared on 14th December, 2004.

Other names of W32/Zafi.D Worm:

This Worm is also known as WORM_ZAFI.D, W32.Erkez.D@mm, W32/Zafi-D, Zafi.D.

Click here to download a 30 day Evaluation Copy of
Protector Plus anti virus software for your operating system

About Protector Plus Antivirus Software Packages:

Proland Software is the developer of Protector Plus range of antivirus software packages. Protector Plus 2007 is available for Windows Vista, Windows 95/98/Me, Windows XP, Windows NT/2000/2003 servers and workstations, MS-Exchange 2000/2003, MS-DOS and NetWare servers.

New:
SpamChoke Antispam Software
Download Now!

Protector Plus range of antivirus products offer on-line virus detection and removal. All the packages have the ability to detect and isolate all types of viruses, trojans, worms and other types of malware. Protector Plus antivirus software can detect and remove W32/Zafi.D Worm reliably.

These products are updated on a continuous basis and the latest upgrades for all the platforms are made available for downloading from this site.

Click here to order
Protector Plus anti virus software