W32/Zafi-D is a mass mailing worm and P2P worm.
W32/Zafi-D copies itself to the Windows system folder with the filename
Norton Update.exe and creates the following entry in the registry so as to run
itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Wxp4
W32/Zafi-D creates a number of files in the Windows system folder with
filenames consisting of 8 random characters and a DLL extension. Some of these
are exact or zipped copies of the worm, detected as W32/Zafi-D, while others
are log files created by the worm.
W32/Zafi-D attempts to terminate processes related to files found in
foldernames containing the following strings:
syman, viru, trend, secur, panda, cafee, sopho, kasper
W32/Zafi-D attempts to open files containing the following strings and keep
them open so as to make them inaccessible to the user:
reged, msconfig, task
W32/Zafi-D copies itself to folders containing one of the following strings:
share, upload, music
W32/Zafi-D copies itself to these folders with one of the following filenames:
ICQ 2005a new!.exe
winamp 5.7 new!.exe
W32/Zafi-D harvests email addresses from the Windows Address Book and from
files it finds with the following extensions:
HTM, WAB, TXT, DBX, TBB, ASP, PHP, SHT, ADB, MBX, EML, PMR, FPT, INB
W32/Zafi-D may copy the file from which it is harvesting addresses to C:\S.CM.
W32/Zafi-D does not harvest addresses that contain the following words:
yaho, google, win, use, info, help, admi, webm, micro, msn, hotm, suppor,
syman, viru, trend, secur, panda, cafee, sopho, kasper
W32/Zafi-D does not harvest addresses that contain 16 or more digits.
W32/Zafi-D may generate random addresses using harvested domain names.
W32/Zafi-D produces emails with the following characteristics depending on the
nationality of the recipient which it gathers from the region-specific
top-level domain (eg cz, de, fr, it, hu, nl, etc)
From line: this is either a name gathered from the host email setup or one of
the following:
Pamela M.
T. Antonio
J. Martin
V. Dusan
R. Cornel
H. Irene
S. Ewa
C. Lina
M. Virtanen
M. Emma
J. Andersson
V. Jensen
V. Tatyana
N. Fernandez
T. Maria
Subject line: This can start either "Re:", "Fw:" or with nothing, continuing
with one of the following:
Merry Christmas!
Buon Natale!
Joyeux Noel!
Christmas pohlednice
Prettige Kerstdagen!
Weihnachen card.
Christmas - Kertki!
Christmas - Atviruka!
Christmas postikorti!
Christmas Postkort!
Christmas Vykort!
Christmas Kort!
ecard.ru
Feliz Navidad!
boldog karacsony...
Message text: This is in plain text and html format. Both consist either of
two words or spaces, followed by a smiley and the sender name from the subject
line. In the html the words or spaces are seperated by "...." strings and an
lewd animated GIF file call B.GIF of two smileys and the line starts and ends
in asterisks. The html text ends in a string containing a domain name followed
by the text "Picture Size: 11 KB, Mail +OK". The words used in the text are
from the following, or using non-Roman characters:
Happy Hollydays!
Buon Natale!
Joyeux Noel!
Prettige Kerstdagen!
Frohliche Wiehnachten!
Wesolych Swiat!
Naujieji Metai!
Iloista Joulua!
God Jul!
Glaedelig Jul!
Feliz Navidad
Kellemes Unnepeket!
eg the HTML body could be in the following form:
* Frohliche ... <animated gif> ... Weihnachten! *
:) H. Irene
http://<server name>/<attachment name> - Picture Size: 11 KB, Mail +OK
Attachment name: This starts "link." or nothing, followed by one name from
the following list:
postcard.
cartoline.
ecarte.
phlednice.
kerstdagen.
weihnachten.
kartki.
atviruka.
postikorti.
postkort.
vykort.
ekort.
card.
navidad.
karacsony.
This is then followed by "christmas." or nothing, then by "index." or nothing'.
The attachment then has one of the following fake extensions followed by 4
random digits:
.php
.htm
.jpg
.gif
The attachment has one of the following actual extensions:
.cmd
.bat
.pif
.com
.zip
e.g. the attachment could be named link.cartoline.christmas.index.php1234.cmd,
cartoline.php1234.cmd, etc.
If the attachment is a zip file then the worm inside it has a filename of one
of the following:
postcard.
wishcard.
xmascard.
giftcard.
This is followed by either "id" or "php", four random digits and one of the
following extensions:
.cmd
.bat
.pif
.com
e.g. the attachment inside a zip could be named giftcard.id9876.pif
W32/Zafi-D creates entries in the registry, some related to files it drops and
some related to system information. The entries are all at
HKLM\Software\Microsoft\Wxp4\
with some of the following values:
t1, t2, t3, t4, t5, t6, t7, t8, t9, tA, tB, tC, tD, tE, tZ, rB, rC,
mA, mB, mC, ... , mX, mY, mZ
lA, lB, lC, ... , lX, lY, lZ
W32/Zafi-D also contains backdoor Trojan functionality, listening on port 8181
to receive and execute a file called A.EXE.
W32/Zafi-D displays an fake error message box with the caption "CRC: 04F6Bh"
and the text "Error in packed file!".