W32/Zafi-B

W32/Zafi-B is a peer-to-peer (P2P) and email worm that will copy itself to the Windows system folder as a randomly named EXE file.

This worm will test for the presence of an internet connection by attempting to connect to www.google.com or www.microsoft.com.

W32/Zafi-B collects email addresses from files which have the following extensions:

HTM, WAB, TXT, DBX, TBB, ASP, PHP, SHT, ADB, MBX, EML and PMR.

The worm stores the collected email addresses in randomly named files with a
DLL extension in the Windows system folder.

W32/Zafi-B attempts to include itself as an attachment in email messages sent to addresses collected from the local machine. The worm will also copy itself into shared P2P folders as either 'WINAMP 7.0 FULL_INSTALL.EXE' or
'TOTAL COMMANDER 7.0 FULL_INSTALL.EXE'.

W32/Zafi-B may display a message box on screen containing the following Hungarian text:

A hajlektalanok elhelyezeset, a bunteto torvenyek szigoritasat, es a HALALBUNTETES MEGSZAVAZASAT koveteljuk a kormanytol, a novekvo bunozes ellen! 2004, jun, Pecs,(SNAF Team).

The English translation is:

We demand that the government accomodates the homeless,
tightens up the penal code and VOTES FOR THE DEATH PENALTY
to cut down the increasing crime. Jun. 2004, Pécs (SNAF Team)

Below are examples of the emails sent by W32/Zafi-B.

Subject: Ingyen SMS!
Message:
------------------------ hirdet=E9s -----------------------------
A sikeres 777sms.hu =E9s az axelero.hu t=E1mogat=E1s=E1val =FAjra
indul az ingyenes sms k=FCld=F5 szolg=E1ltat=E1s! Jelenleg ugyan
korl=E1tozott sz=E1mban, napi 20 ingyen smst lehet felhaszn=E1lni.
K=FCldj te is SMST! Neh=E1ny kattint=E1s =E9s a mell=E9kelt regisztr=E1ci=F3s lap kit=F6lt=E9se ut=E1n azonnal ig=E9nybevehet=F5! B=F5vebb inform=E1ci=F3t a www.777sms.hu oldalon tal=E1lsz, de siess,
mert az els=F5 ezer felhaszn=E1l=F3 k=F6z=F6tt =E9rt=E9kes nyerem=E9nyeket sorsolunk ki!
------------------------ axelero.hu ---------------------------

Subject: Importante!
Message: Informacion importante que debes conocer, -

Subject: E-Kort!
Message: Mit hjerte banker for dig!

Subject: Ecard!
Message: De cand te-am cunoscut inima mea are un nou ritm!

Subject: E-vykort!
Message: Till min Alskade...

Subject: E-Postkort!
Message: Vakre roser jeg sammenligner med deg...

Subject: E-postikorti!
Message: Iloista kesaa!

Subject: Atviruka!
Message: Linksmo gimtadieno!

Subject: E-Kartki!
Message: W Dniu imienin...

Subject: Cartoe Virtuais!
Message: Te amo...

Subject: Flashcard fuer Dich!
Message: Hallo!
hat dir eine elektronische Flashcard geschickt.
Um die Flashcard ansehen zu koennen, benutze in deinem Browser
einfach den nun folgenden link:
http://flashcard.de/interaktiv/viewcards/view.php3?card=267BSwr34
Viel Spass beim Lesen wuenscht Ihnen ihr...

Subject: Er staat een eCard voor u klaar!
Message: Hallo!
heeft u een eCard gestuurd via de website nederlandse
taal in het basisonderwijs...
U kunt de kaart ophalen door de volgende url aan te klikken of te
kopiren in uw browser link:
http://postkaarten.nl/viewcard.show53.index=04abD1
Met vriendelijke groet,
De redactie taalsite primair onderwijs...
Hanka

Subject: Elektronicka pohlednice!
Message: Ahoj!
Elektronick pohlednice ze serveru http://www.seznam.cz

Subject: E-carte!
Message: vous a envoye une E-carte partir du site zdnet.fr
Vous la trouverez, l'adresse suivante link:
http://zdnet.fr/showcard.index.php34bs42
www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web
en 5 minutes, du dialogue en direct...

Subject: Ti e stata inviata una Cartolina Virtuale!
Message: Ciao!
ha visitato il nostro sito, cartolina.it e ha creato una
cartolina virtuale per te! Per vederla devi fare click
sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a
Attenzione, la cartolina sara visibile sui nostri server per
2 giorni e poi verra rimossa automaticamente.

Subject: You`ve got 1 VoiceMessage!
Message: Dear Customer!
You`ve got 1 VoiceMessage from voicemessage.com website!
Sender:
You can listen your Virtual VoiceMessage at the following link:
http://virt.voicemessage.com/index.listen.php2=35affv
or by clicking the attached link.
Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).

Subject: Tessek mosolyogni!!!
Message: Ha ez a k=E9p sem tud felviditani, akkor feladom!
Sok puszi:

Subject: Soxor Csok!
Szia!
Aranyos vagy, j=F3 volt dumcsizni veled a neten!
Rem=E9lem tetszem, =E9s szeretn=E9m ha te is k=FClden=E9l k=E9pet
magadr=F3l, addig is cs=F3k:

Subject: Don`t worry, be happy!
Message: Hi Honey!
I`m in hurry, but i still love ya...
(as you can see on the picture)
Bye - Bye:

Subject: Check this out kid!!!
Message: Send me back bro, when you`ll be done...(if you know what i mean...)
See ya, W32/Zafi-B is a peer-to-peer (P2P) and email worm that will copy itself to the Windows system folder as a randomly named EXE file and set the following registry entry to ensure that it will be run on system restart.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
_Hazafibb= <Windows system folder>\<filename.exe>

The following registry branch will also be created:

HKLM\Software\Microsoft\_Hazafibb\

This registry branch will have value names consisting of two alphanumeric characters.

This worm will test for the presence of an internet connection by attempting to connect to www.google.com or www.microsoft.com.

W32/Zafi-B collects email addresses from files which have the following extensions:

HTM, WAB, TXT, DBX, TBB, ASP, PHP, SHT, ADB, MBX, EML and PMR.

The worm stores the collected email addresses in randomly named files with a
DLL extension in the Windows system folder.

W32/Zafi-B attempts to include itself as an attachment in email messages sent to addresses collected from the local machine. The worm will also copy itself into shared P2P folders as either 'WINAMP 7.0 FULL_INSTALL.EXE' or
'TOTAL COMMANDER 7.0 FULL_INSTALL.EXE'.

W32/Zafi-B may display a message box on screen containing the following
Hungarian text:

A hajlektalanok elhelyezeset, a bunteto torvenyek szigoritasat, es a HALALBUNTETES MEGSZAVAZASAT koveteljuk a kormanytol, a novekvo bunozes ellen! 2004, jun, Pecs,(SNAF Team).

The English translation is:

We demand that the government accomodates the homeless,
tightens up the penal code and VOTES FOR THE DEATH PENALTY
to cut down the increasing crime. Jun. 2004, Pécs (SNAF Team)

Below are examples of the emails sent by W32/Zafi-B.

Subject: Ingyen SMS!
Message:
------------------------ hirdet=E9s -----------------------------
A sikeres 777sms.hu =E9s az axelero.hu t=E1mogat=E1s=E1val =FAjra
indul az ingyenes sms k=FCld=F5 szolg=E1ltat=E1s! Jelenleg ugyan
korl=E1tozott sz=E1mban, napi 20 ingyen smst lehet felhaszn=E1lni.
K=FCldj te is SMST! Neh=E1ny kattint=E1s =E9s a mell=E9kelt regisztr=E1ci=F3s lap kit=F6lt=E9se ut=E1n azonnal ig=E9nybevehet=F5! B=F5vebb inform=E1ci=F3t a www.777sms.hu oldalon tal=E1lsz, de siess,
mert az els=F5 ezer felhaszn=E1l=F3 k=F6z=F6tt =E9rt=E9kes nyerem=E9nyeket sorsolunk ki!
------------------------ axelero.hu ---------------------------

Subject: Importante!
Message: Informacion importante que debes conocer, -

Subject: E-Kort!
Message: Mit hjerte banker for dig!

Subject: Ecard!
Message: De cand te-am cunoscut inima mea are un nou ritm!

Subject: E-vykort!
Message: Till min Alskade...

Subject: E-Postkort!
Message: Vakre roser jeg sammenligner med deg...

Subject: E-postikorti!
Message: Iloista kesaa!

Subject: Atviruka!
Message: Linksmo gimtadieno!

Subject: E-Kartki!
Message: W Dniu imienin...

Subject: Cartoe Virtuais!
Message: Te amo...

Subject: Flashcard fuer Dich!
Message: Hallo!
hat dir eine elektronische Flashcard geschickt.
Um die Flashcard ansehen zu koennen, benutze in deinem Browser
einfach den nun folgenden link:
http://flashcard.de/interaktiv/viewcards/view.php3?card=267BSwr34
Viel Spass beim Lesen wuenscht Ihnen ihr...

Subject: Er staat een eCard voor u klaar!
Message: Hallo!
heeft u een eCard gestuurd via de website nederlandse
taal in het basisonderwijs...
U kunt de kaart ophalen door de volgende url aan te klikken of te
kopiren in uw browser link:
http://postkaarten.nl/viewcard.show53.index=04abD1
Met vriendelijke groet,
De redactie taalsite primair onderwijs...
Hanka

Subject: Elektronicka pohlednice!
Message: Ahoj!
Elektronick pohlednice ze serveru http://www.seznam.cz

Subject: E-carte!
Message: vous a envoye une E-carte partir du site zdnet.fr
Vous la trouverez, l'adresse suivante link:
http://zdnet.fr/showcard.index.php34bs42
www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web
en 5 minutes, du dialogue en direct...

Subject: Ti e stata inviata una Cartolina Virtuale!
Message: Ciao!
ha visitato il nostro sito, cartolina.it e ha creato una
cartolina virtuale per te! Per vederla devi fare click
sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a
Attenzione, la cartolina sara visibile sui nostri server per
2 giorni e poi verra rimossa automaticamente.

Subject: You`ve got 1 VoiceMessage!
Message: Dear Customer!
You`ve got 1 VoiceMessage from voicemessage.com website!
Sender:
You can listen your Virtual VoiceMessage at the following link:
http://virt.voicemessage.com/index.listen.php2=35affv
or by clicking the attached link.
Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).

Subject: Tessek mosolyogni!!!
Message: Ha ez a k=E9p sem tud felviditani, akkor feladom!
Sok puszi:

Subject: Soxor Csok!
Szia!
Aranyos vagy, j=F3 volt dumcsizni veled a neten!
Rem=E9lem tetszem, =E9s szeretn=E9m ha te is k=FClden=E9l k=E9pet
magadr=F3l, addig is cs=F3k:

Subject: Don`t worry, be happy!
Message: Hi Honey!
I`m in hurry, but i still love ya...
(as you can see on the picture)
Bye - Bye:

Subject: Check this out kid!!!
Message: Send me back bro, when you`ll be done...(if you know what i mean...)
See ya,