I-Worm.Zafi.B

Overwrites applications

Zafi.B spreads attached to e-mail messages to addresses collected from the infected computer.

The attachment is the 12800 bytes long worm with PIF extension.

VirusBuster products offer detection and removal of this worm with database update 7.1001 or higher.

I-Worm.Zafi.B is an internet worm, written in assembly, packed with FSG. Its arrives in email as attachment, or from shared folders.

The e-mail text language is different (Hungarian, English, German, Russian, Dutch, etc.).

The e-mails appears (Subject, Message text, Attachment) as follows:

Anita
eIngyen SMS!
"regiszt.php?3124freesms.index777.pif"
------------------------ hirdet=E9s -----------------------------
A sikeres 777sms.hu =E9s az axelero.hu t=E1mogat=E1s=E1val =FAjra
indul az ingyenes sms k=FCld=F5 szolg=E1ltat=E1s! Jelenleg ugyan
korl=E1tozott sz=E1mban, napi 20 ingyen smst lehet felhaszn=E1lni.
K=FCldj te is SMST! Neh=E1ny kattint=E1s =E9s a mell=E9kelt regisztr=E1ci=F3s
lap kit=F6lt=E9se ut=E1n azonnal ig=E9nybevehet=F5! B=F5vebb inform=E1ci=F3t
a www.777sms.hu oldalon tal=E1lsz, de siess, mert az els=F5 ezer
felhaszn=E1l=F3 k=F6z=F6tt =E9rt=E9kes nyerem=E9nyeket sorsolunk ki!
------------------------ axelero.hu ---------------------------

Claudia
eImportante!
"link.informacion.phpV23.text.message.pif"
Informacion importante que debes conocer, -
Katya
oKatya
"view.link.index.image.phpV23.sexHdg21.pif"
ADAOIU
OEIE

.
eE-Kort!
"link.ekort.index.phpV7ab4.kort.pif"
Mit hjerte banker for dig!

Marica
eEcard!
"link.showcard.index.phpAv23.ritm.pif"
De cand te-am cunoscut inima mea are un nou ritm!

Anna
eE-vykort!
"link.vykort.showcard.index.phpBn23.pif"
Till min Alskade...

Erica
eE-Postkort!
"link.postkort.showcard.index.phpAe67.pif"
Vakre roser jeg sammenligner med deg...

Katarina
eE-postikorti!
"link.postikorti.showcard.index.phpGz42.pif"
Iloista kesaa!

$oo@
Magdolina
eAtviruka!
"link.atviruka.showcard.index.phpGz42.pif"
Linksmo gimtadieno!

Beate
eE-Kartki!
"link.kartki.showcard.index.phpVg42.pif"
W Dniu imienin...

$oo@
eCartoe Virtuais!
"link.cartoe.viewcard.index.phpYj39.pif"
Te amo...

Alice
eFlashcard fuer Dich!
"link.flashcard.de.viewcard34.php.2672aB.pif"
Hallo!
hat dir eine elektronische Flashcard geschickt.
Um die Flashcard ansehen zu koennen, benutze in deinem Browser
einfach den nun folgenden link:
http://flashcard.de/interaktiv/viewcards/view.php3?card=267BSwr34
Viel Spass beim Lesen wuenscht Ihnen ihr...
eEr staat een eCard voor u klaar!
"postkaarten.nl.link.viewcard.index.phpG4a62.pif"
Hallo!
heeft u een eCard gestuurd via de website nederlandse
taal in het basisonderwijs...
U kunt de kaart ophalen door de volgende url aan te klikken of te
kopiren in uw browser link:
http://postkaarten.nl/viewcard.show53.index=04abD1
Met vriendelijke groet,
De redactie taalsite primair onderwijs...

Hanka
eElektronicka pohlednice!
"link.seznam.cz.pohlednice.index.php2Avf3.pif"
Ahoj!
Elektronick pohlednice ze serveru http://www.seznam.cz
-
$Do@

Claudine
eE-carte!
"link.zdnet.fr.ecarte.index.php34b31.pif"
vous a envoye une E-carte partir du site zdnet.fr
Vous la trouverez, l'adresse suivante link:
http://zdnet.fr/showcard.index.php34bs42
www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web
en 5 minutes, du dialogue en direct...
$oo@

Francesca
eTi e stata inviata una Cartolina Virtuale!
"link.cartoline.it.viewcard.index.4g345a.pif"
Ciao!
ha visitato il nostro sito, cartolina.it e ha creato una
cartolina virtuale per te! Per vederla devi fare click
sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a
Attenzione, la cartolina sara visibile sui nostri server per
2 giorni e poi verra rimossa automaticamente.

Jennifer
eYou`ve got 1 VoiceMessage!
"link.voicemessage.com.listen.index.php1Ab2c.pif"
Dear Customer!
You`ve got 1 VoiceMessage from voicemessage.com website!
Sender:
You can listen your Virtual VoiceMessage at the following link:
http://virt.voicemessage.com/index.listen.php2=35affv
or by clicking the attached link.
Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).

Anita
eTessek mosolyogni!!!
"meztelen csajok fociznak.flash.jpg.pif"
Ha ez a k=E9p sem tud felviditani, akkor feladom!
Sok puszi:

Anita
eSoxor Csok!
"anita.image043.jpg.pif"
Szia!
Aranyos vagy, j=F3 volt dumcsizni veled a neten!
Rem=E9lem tetszem, =E9s szeretn=E9m ha te is k=FClden=E9l k=E9pet
magadr=F3l, addig is cs=F3k:

Jennifer
eDon`t worry, be happy!
"www.ecard.com.funny.picture.index.nude.php356.pif"
Hi Honey!
I`m in hurry, but i still love ya...
(as you can see on the picture)
Bye - Bye:

David
eCheck this out kid!!!
"jennifer the wild girl xxx07.jpg.pif"
Send me back bro, when you`ll be done...(if you know what i mean...)
See ya,

When it runs, it copies itself to the %System% folder as .exe and .dll with random names. Creates several .dll files with random names. Here stores the e-mail addresses.

In the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

creates the entry:

_Hazafibb-=%System%\-created .exe file name

Creates the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\_Hazafibb

where stores virus data

Scans folders, and copies itself there, if the folder name stores "share" or "upload" string with one of the following names:

winamp 7.0 full_install.exe
Total Commander 7.0 full_install.exe

Terminates several antiviral and firewall programs (which contain "firewall" or "virus" strings in the program binary) and overwrites program files with itself.

Scans e-mail addresses in .htm, .wab, .txt, .dbx, .tbb, .asp, .php, .sht, .adb, .mbx, .eml és .pmr files, and sends infected email there.

The worm performs a denial of service attack against the following websites:

www.parlament.hu
www.virusbuster.hu
www.virushirado.hu
www.2f.hu

The manual removal of the virus can be accomplished be deleting the created files and restoring the modified registry settings.