thick
New Member
just a heads up
Zafi.B
Hungarian Politics Invade Your Computer
Severity: Medium
14 June, 2004
About the Virus
Last Friday evening a new worm called Zafi.B (technically known as W32/Zafi.b@MM, and sometimes Erkez.B) began spreading on the Internet, and has gained momentum over the weekend. According to Sophos, Zafi.B accounts for more than half of the viruses reported since Friday. Originating from Hungary, Zafi.B's code contains a political message demanding that "the government accommodates the homeless, tightens up the penal code and VOTES FOR THE DEATH PENALTY to cut down the increasing crime." (Ironic, considering that in many countries, releasing a worm is a crime.) Like many recent worms, Zafi.B spreads via spoofed email, peer-to-peer (P2P) software and Windows shared files and folders. The worm also disables anti-virus and firewall software to help it spread without detection. The Firebox's SMTP proxy blocks Zafi.B by default.
What It Does
Zafi.B is harder to spot than some worms, since it uses a range of multi-lingual subjects and message bodies. It also spoofs the email's "From" address, so it might appear to come from your friends or contacts. To decide what language to send itself in, Zafi.B scans the recipient's Top Level Domain (TLD). For example, if the recipient's email address ends in .COM, Zafi.B uses English; if the recipient's address ends in .DE, Zafi.B uses German; if the recipient's email address ends in .SE, the email is in Swedish; and so on, including Hungarian, Russian, Italian, Spanish, Finnish, and more.
Some of Zafi.B's English subject lines include:
You've got 1 VoiceMessage!
Don't worry, be happy!
Check this out kid!!!
See Mcafee's alert for a list of Zafi.B's email headers.
Zafi.B also uses a randomly named attachment. However, the attachment always ends with a .EXE, .COM or .PIF file extension. The good news is that Zafi.B cannot run the malicious attachment without user interaction; it requires a gullible user to click on it in order to begin infecting its victim.
Like most worms, Zafi.B starts by copying itself to your hard drive and editing the registry so that it will continue to restart whenever you reboot. Next, the worm searches for any shared folders containing the strings "share" or "upload," placing one of the following files in those folders:
winamp 7.0 full_install.exe
Total Commander 7.0 full_install.exe
This helps the worm spread via P2P application and Windows network shares.
Zafi.B then searches for folders containing anti-virus or firewall software and overwrites the software with a copy of itself. The worm scans for processes containing the strings "regedit", "task", or "msconfig" and terminates them. This prevents you from running utilities such as Registry Editor or Task Manager, and can make it harder to clean a Zafi.B infected computer.
Finally, Zafi.B searches files on your computer for email addresses and sends itself to any it finds, using its own SMTP engine.
Although Zafi.B doesn't seem to contain any truly dangerous payloads, it does use your computer to attempt a DoS attack against a few Hungarian sites.
Zafi.B
Hungarian Politics Invade Your Computer
Severity: Medium
14 June, 2004
About the Virus
Last Friday evening a new worm called Zafi.B (technically known as W32/Zafi.b@MM, and sometimes Erkez.B) began spreading on the Internet, and has gained momentum over the weekend. According to Sophos, Zafi.B accounts for more than half of the viruses reported since Friday. Originating from Hungary, Zafi.B's code contains a political message demanding that "the government accommodates the homeless, tightens up the penal code and VOTES FOR THE DEATH PENALTY to cut down the increasing crime." (Ironic, considering that in many countries, releasing a worm is a crime.) Like many recent worms, Zafi.B spreads via spoofed email, peer-to-peer (P2P) software and Windows shared files and folders. The worm also disables anti-virus and firewall software to help it spread without detection. The Firebox's SMTP proxy blocks Zafi.B by default.
What It Does
Zafi.B is harder to spot than some worms, since it uses a range of multi-lingual subjects and message bodies. It also spoofs the email's "From" address, so it might appear to come from your friends or contacts. To decide what language to send itself in, Zafi.B scans the recipient's Top Level Domain (TLD). For example, if the recipient's email address ends in .COM, Zafi.B uses English; if the recipient's address ends in .DE, Zafi.B uses German; if the recipient's email address ends in .SE, the email is in Swedish; and so on, including Hungarian, Russian, Italian, Spanish, Finnish, and more.
Some of Zafi.B's English subject lines include:
You've got 1 VoiceMessage!
Don't worry, be happy!
Check this out kid!!!
See Mcafee's alert for a list of Zafi.B's email headers.
Zafi.B also uses a randomly named attachment. However, the attachment always ends with a .EXE, .COM or .PIF file extension. The good news is that Zafi.B cannot run the malicious attachment without user interaction; it requires a gullible user to click on it in order to begin infecting its victim.
Like most worms, Zafi.B starts by copying itself to your hard drive and editing the registry so that it will continue to restart whenever you reboot. Next, the worm searches for any shared folders containing the strings "share" or "upload," placing one of the following files in those folders:
winamp 7.0 full_install.exe
Total Commander 7.0 full_install.exe
This helps the worm spread via P2P application and Windows network shares.
Zafi.B then searches for folders containing anti-virus or firewall software and overwrites the software with a copy of itself. The worm scans for processes containing the strings "regedit", "task", or "msconfig" and terminates them. This prevents you from running utilities such as Registry Editor or Task Manager, and can make it harder to clean a Zafi.B infected computer.
Finally, Zafi.B searches files on your computer for email addresses and sends itself to any it finds, using its own SMTP engine.
Although Zafi.B doesn't seem to contain any truly dangerous payloads, it does use your computer to attempt a DoS attack against a few Hungarian sites.
