W32/Zafi-A

Aliases	I-Worm.Zafi W32/Zafi@MM Win32/Zafi.A W32.Erkez.A@mm
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Included in our products from	June 2004 (3.82)
Protection available since	19 April 2004 15:02:19 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
<random string> = C:\<Windows System32>\<filename.exe>

and delete it if it exists.

Close the registry editor.

More Information

Summary
Action
More Information

W32/Zafi-A is a worm that will copy itself to the Windows System or System32 folder as a randomly named DLL and randomly named EXE file and sets the following registry entry to ensure that it will be run on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
<random string> = C:\<Windows System32>\<filename.exe>

The following registry entry will also be created:

HKLM\Software\Microsoft\Hazafi\

This registry entry will have a value name beginning with an uppercase 'R' followed by a number.

Other information stored in the registry at this location includes the name of the infected system and the default email address of the user.

This worm will test for the presence of an Internet connection by attempting to connect to Google.com. It will also record the URL of every website visited by the user in keys within the following registry branch:

HKCU\Software\Microsoft\Internet Explorer\TypedURLs\

W32/Zafi-A will also create other randomly named DLL files in the Windows
System or System32 folder. This worm will glean email addresses from files
which have the following extensions and save them into the randomly named
DLL files: HTM, WAB, TXT, DBX, TBB, ASP, PHP, SHT, ADB, MBX, EML and PMR.

W32/Zafi-A attempts to include itself as an attachment in email messages sent
to addresses in Hungary. The sender is either the user's default email address or kepeslapok@meglep.hu.

The subject of these emails is:

'kepeslap erkezett!'

The body text is in Hungarian and states that the recipient has received an ecard. The attachment may be named:

'link.matav.hu.viewcard. index42ADR4502HHJeTYWYJDF334GSDEv25546.com'.

This worm will try to terminate several anti-virus and security related applications including:

'zonalarm.exe'
'vbsntw.exe'
'vbcons.exe'
'pccguide.exe'
'outpost.exe'
'regedit.exe'
'regedit32.exe'
'navapw32.exe'
'pcciomon.exe'
'navdx.exe'
'navstub.exe'
'navw32.exe'
'ndd32.exe'
'netmon.exe'
'netarmor.exe'
'netinfo.exe'
'nmain.exe'
'nprotect.exe'
'ntvdm.exe'
'ostronet.exe'
'vsmain.exe'
'vsmon.exe'
'vsstat.exe'
'vbust.exe'
'mcagent.exe'
'fsav32.exe'
'fssm32.exe'
'fsm32.exe'
'fsbwsys.exe'
'fsgk32.exe'
'dfw.exe'
'tnbutil.exe'
'taskmgr.exe'
'winlogon.exe'
'fvprotect.exe'

This worm will only work during April 2004.

W32/Zafi-A will display the following Hungarian text in a message box on screen
if executed on the 1st May 2004:

Emberek! Magyarok szazezrei, millioi elnek naprol - napra, halnak ehen - szomjan, s szegenysegben hazankban! Mikozben jonehany felso parlamenti gazember millios vagyonokra tesz szert, mitsem torodve velunk. Latszat emberek iranyitanak, kik emelik fizetesunk, s ketszer annyi adot vonnak le, kik igazsagszolgaltatasrol regelnek, mikor a bunozoket es a novekvo agressziot vedik torvenyeikkel, kik inkabb Forma1-re ocsekoljak a penzt, mialatt hajlektalanokhalnak meg naponta utcainkon, s korhazi betegek szenvednek szukseges muszerek nelkul. Hogy - hogy nem latja ezt senki ???? Miert nincs egy igaz magyar, ki vegremar nem sajat erdekeit, hanem az orszag sulyos problemait helyezne eloterbe!!! Nem eleg akarni, s beszelni, meg szonoklatni a szepet,s jot, tenni-tenni-tenni kell, egyarant mindenkinek - mindenkiert!

== HAZAFI == /Pecs,2004, (SNAF Team)/

This translates as;

People! Hundreds of thousands, millions of Hungarian people live day to day and die from starvation, thirst and poverty in our country. This is while many villainous MPs make millions, and don't even think about what is happening to us. Puppets are in control. They increase our salaries while doubling our taxes. They talk about justice while their laws protect criminals. They rather waste money on Formula 1 while homeless people die on the streets every day and patients suffer in hospitals without the proper equipment. Why - why can nobody see this??? Why isn't there a true Hungarian patriot, who puts solving the severe problems of this country ahead his own benefits!!! It is not enough just to want, to talk, or to give speeches about the good and the nice. There must be action. Something must be done by everybody and for everybody!

== PATRIOT == /Pecs,2004, (SNAF Team)/

| Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Zafi-A

Summary

Action

More Information