x
48h OFFER
If you're already a customer of
our homeusers protection,
renew now with a 50% off
RENEW NOW
x
SPECIAL OFFER
If you're already a customer of
our homeusers protection,
renew now with a 50% off
RENEW NOW
x
HALLOWEEN OFFER
take advantage of our
terrific discounts
BUY NOW AND GET A 50% OFF
x
CHRISTMAS OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET A 40% OFF
x
SPECIAL OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET A 50% OFF
x
BLACKFRIDAY OFFER
Buy the best antivirus
at the best price
TODAY ONLY UP TO 70% OFF
x
CYBERMONDAY OFFER
Buy the best antivirus
at the best price
(Only for homeusers)
TODAY ONLY UP TO 70% OFF
Active Scan. Scan your PC free
Panda Protection

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Zafi.B

Threat LevelModerate threatDamageHighDistributionNot widespread
Common name:Zafi.B
Technical name:W32/Zafi.B.worm
Threat level:Medium
Alias:I-Worm.Zafi.b, W32.Erkez.B@mm, PE_ZAFI.B
Type:Worm
Effects:  

It prevents certain antivirus programs from being run by overwrtittng their executable files. It stops the processes belonging to several system tools.

Affected platforms:

Windows 2003/XP/2000/NT/ME/98/95

First detected on:June 11, 2004
Detection updated on:June 28, 2004
StatisticsNo
Proactive protection:
Yes, using TruPrevent Technologies

Brief Description 

    

Zafi.B is a worm that looks for directories in which antivirus programs are installed. If successful, Zafi.B overwrites the executable files with copies of itself. By doing so, the user will be unprotected against the attack of other malware. So whenever users run the antivirus, they will be running the Zafi.B without noticing.

In addition, Zafi.B searches for certain processes, such as the Windows Registry Editor, the Task Manager, etc. If successful, Zafi.B ends them.

Zafi.B spreads via e-mail in a message with variable characterics that can be written in different languages, and through peer to peer file sharing programs (P2P).

Visible Symptoms 

    

Zafi.B is easy to recognize once it has affected the computer, as it attempts to open any of the web sites stored in the following path of the Windows Registry every time it is executed:

HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ TypedURLs