Encyclopedia

Panda Internet Security 2010

Panda Internet Security 2010

Full protectión for complete peace of mind on the Internet.

* Includes 3 months' services FREE

Zafi.D

 
Threat LevelHigh threatDamageSevereDistributionNot widespread

Effects 

Zafi.D has the following effects:

  • It has backdoor characteristics, as it opens the port 8181 and waits for a file to be transferred through it. Zafi.D executes this file, which is usually other malware.
  • It impedes access to applications that contain the text strings reged, msconfig or task.
  • It displays a fake error message on screen the first time it is run:

Infection strategy 

Zafi.D creates the following files:

  • NORTON UPDATE.EXE in the Windows system directory. This file is a copy of the worm.
  • Several files with a random name and a DLL extension in the Windows system directory. These files are copies of the worm.
  • S.CM in the root directory of the C: drive. This file contains a list of programmed tasks.
  • Several files with a DLL extension, which contain the e-mail addressed that Zafi.D gathers on the affected computer.
  • Several copies of itself in all the directories whose names contain the text string share, upload or music.

Zafi.D creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Wxp4 = %sysdir%\ Norton Update.exe
    where %sysdir% is the Windows system directory.
    By creating this entry, Zafi.D ensures that it is run whenever Windows is started.
  • HKEY_LOCAL_MACHINE \ SOFTWARE\ Microsoft\ Wxp4
    Zafi.D uses this entry in order to store several parameters.

Means of transmission 

Zafi.D spreads via e-mail and through peer-to-peer (P2P) file sharing programs.

1.- Transmission via e-mail.

Zafi.D follows the routine below:

  • It reaches the computer in an e-mail message with variable characteristics.
    That message can be written in different languages, depending on the recipient's domain. For those domains that are not included in the list below, the message will be written in English.
    These e-mail messages pass themselves off as Christmas greetings.

    Note: any of the following subjects could be preceded by the text strings Re:Fw:, or they could even be empty.

    Hungary (.hu):
    Sender:
    T. Maria
    Subject:
    boldog karacsony...
    Message:
    Kellemes Ünnepeket!

    Spain (.es) and Mexico (.mx):
    Sender:
    N. Fernandez
    Subject:
    Feliz Navidad!
    Message:
    Feliz Navidad!
    Attachments:
    The name of the attached file contains the text string NAVIDAD.

    Denmark (.dk):
    Sender:
    V. Jensen
    Subject:
    Christmas Kort!
    Message:
    Glaedelig Jul!
    Attachments:
    The name of the attached file contains the text string EKORT.
    For example:



    Sweden (.se):
    Sender:
    J. Anderson
    Subject:
    Christmas Vykort!
    Message:
    God Jul!
    Attachments:
    The name of the attached file contains the text string VYKORT.

    Norway (.no):
    Sender:
    M. Emma
    Subject:
    Christmas Postkort!
    Message:
    God Jul!
    Attachments:
    The name of the attached file contains the text string POSTKORT.

    Finland (.fi):
    Sender:
    M. Virtanen
    Subject:
    Christmas postikorti!
    Message:
    Iloista Joulua!
    Attachments:
    The name of the attached file contains the text string POSTIKORTI.

    Lithuania (.lt):
    Sender:
    C. Lina
    Subject:
    Christmas Atviruka!
    Message:
    Naujielji Metai!
    Attachments:
    The name of the attached file contains the text string ATVIRUKA.

    Poland (.pl):
    Sender:
    S. Ewa
    Subject:
    Christmas - Kartki!
    Message:
    Wesolych Swiat!
    Attachments:
    The name of the attached file contains the text string KARTKI.

    Germany (.de) and Austria (.at):
    Sender:
    H. Irene
    Subject:
    Weihnachten card
    Message:
    Fröhliche Weihnachten!
    Attachments:
    The name of the attached file contains the text string WEIHNACHTEN.

    Netherlands (.nl):
    Sender:
    R. Cornel
    Subject:
    Prettige Kerstdagen!
    Message:
    Prettige Kerstdagen!
    Attachments:
    The name of the attached file contains the text string KERTSDAGEN.

    Czech Republic (.cz):
    Sender:
    V. Dusan
    Subject:
    Christmas pohlednice
    Message:
    Veselé Vánoce!
    Attachments:
    The name of the attached file contains the text string POHLEDNICE.

    France (.fr):
    Sender:
    J. Martin
    Subject:
    Joyeux Noel!
    Message:
    Joyeux Noel!
    Attachments:
    The name of the attached file contains the text string ECARTE.

    Italy (.it):
    Sender:
    T. Antonio
    Subject:
    Buon Natale!
    Message:
    Buon Natale!
    Attachments:
    The name of the attached file contains the text string CARTOLINE.

    Romania (.ru):
    Sender:
    V. Tatyana
    Attachments:
    The name of the attached file contains the text string CARD.

    For any domains not included in the previous list, the e-mail message has the following characteristics:
    Sender:
    Pamela M
    Subject:
    Merry Christmas!
    Message:
    Happy Holiday!
    Attachments:
    The name of the attached file contains the text string POSTCARD.
    For example:


    The attached file will always have any of the following extensionsBAT, CMD, COM, PIF or ZIP.
  • The computer will be affected when the attached file is run.
  • Zafi.D looks for e-mail addresses in files with the following extensions: ADB, ASP, DBX, EML, FPT, HTM, INB, MBX, PHP, PMR, SHT, TBB, TXT and WAB.
  • Zafi.D sends a copy of itself out to all the addresses gathered, using its own SMTP engine. However, it does not send itself out to those addresses containing any of the following text strings:
    admi, cafee, google, help, hotm, info, kasper, micro, msn, panda, secur, sopho, suppor, syman, trend, use, viru, webm, win and yaho.

 

2.- Transmission through P2P file sharing programs.

Zafi.D carries out the routine below:

  • It creates copies of itself in those directories whose full path contains any of the following text strings: share, upload and music.
    By doing so, Zafi.D attempts to make copies of itself in the shared directories of the file sharing programs.
  • It makes copies of itself with the file names:
    ICQ 2005a new!.exe
    winamp 5.7 new!.exe
     
  • Other users of these programs can remotely access these shared directories and download these files to their computers, thinking that they are useful computer programs, etc. However, these users will actually download a copy of Zafi.D.
  • When the downloaded file is run, these computers will become affected by Zafi.D.

Further Details  

Zafi.D is 11,745 bytes in size, and it is compressed with FSG.

Last updated:  19/06/2009 

Virus News

Help your friends against viruses: share, save and subscribe to our security content. Thank you.

Share/Bookmark

Fake virus alert spreads massively across Facebook, reports PandaLabs

Panda Security, leading Spanish software vendor in the 2009 Truffle 100 Europe i...

PandaLabs Annual Malware Report: 2009 sets new records for malware creation: 25 ...

[+ Noticias]