McAfee AVERT Raises Risk Assessment On Zafi.d

SecurityProNews
Staff Writer
2004-12-14

McAfee AVERT has raised the risk assessment to medium on the recently discovered W32/Zafi.d@MM, also known as Zafi.d.

Zafi.d is a mass-mailing worm that constructs messages using its own SMTP engine, spoofing the From: address. It also attempts to propagate via P2P, via copying itself to folders on the local system.
McAfee AVERT researchers, which first saw the worm early today in Europe, have received numerous reports mostly from Germany, Italy and Spain where Zafi.d has been detected or has infected both corporate and home users. The infections are typical mass mailing results from both real customer submissions and virus-generated mail from customers.

Zafi.d is a mass-mailing worm that when executed, copies itself twice to the %windir%system32 folder. The worm, which sends itself out in Hungarian and English, creates a registry key, so that infected files are executed every time an infected computer is turned on. Zafi.d also has the ability to search for directories of anti-virus and personal firewall software, and then overwrite the executables with a copy of itself. Users should immediately delete any email containing the following:

From: (The from address is spoofed). The worm searches for email addresses on the local hard disk, harvesting addresses from files with the following extensions:

htm

wab

txt

dbx

tbb

asp

php

sht

adb

mbx

eml

pmr

fpt

inb

Harvested addresses are stored in five files in the system32 folder using random names and the file extension .DLL.

Subject: Re: (original subject)

The message may be constructed with various subject and message bodies.

Body:

The body of the email sent by the worm is in the form of Christmas greetings. Like previous variants, the worm sends itself out in different languages depending on the Top Level Domain (TLD) of the recipient's address. For example, a user with a .COM mail address will receive the English mail body, while someone with an .DE Mail address will receive the German body.

Threat Pathology

After being executed, Zafi.d copies itself twice to the %windir%system32 folder using a random name and .DLL extension. The worm copies itself to directories on the C: drive containing one of the following strings: "share", "upload" or "music" and uses one of the following file names:

winamp 5.7 new!.exe

ICQ 2005a new!.exe

In an attempt to thwart manual identification and cleaning of an infected machine, the worm will also attempt to terminate processes.

About the Author:
SecurityProNews is a daily online and email publication focusing on internet security issues.

More news_security_news Articles

Insider Reports RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Featured On:

article resources

WebProWorld.com

•	Get in-touch with industry experts and leaders
•	Post your site for review by expert and peers
•	Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com


Titan Quest Forum The #1 Titan Quest forum
Halo 3 Forum The best Halo, Halo 2, Halo 3 forum
Nintendo Wii Nintendo Wii news and views
Mac Software The best in OS X freeware
Graphics Forum Your source for graphic tutorials