Welcome to the Virus Encyclopedia of Panda Security.
|Alias:||I-Worm.Zafi.b, W32.Erkez.B@mm, PE_ZAFI.B|
|Effects: || |
It prevents certain antivirus programs from being run by overwrtittng their executable files. It stops the processes belonging to several system tools.
|First detected on:||June 11, 2004|
|Detection updated on:||June 28, 2004|
|Yes, using TruPrevent Technologies
Zafi.B is a worm that looks for directories in which antivirus programs are installed. If successful, Zafi.B overwrites the executable files with copies of itself. By doing so, the user will be unprotected against the attack of other malware. So whenever users run the antivirus, they will be running the Zafi.B without noticing.
In addition, Zafi.B searches for certain processes, such as the Windows Registry Editor, the Task Manager, etc. If successful, Zafi.B ends them.
Zafi.B spreads via e-mail in a message with variable characterics that can be written in different languages, and through peer to peer file sharing programs (P2P).
Zafi.B is easy to recognize once it has affected the computer, as it attempts to open any of the web sites stored in the following path of the Windows Registry every time it is executed:
HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ TypedURLs