high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | December 2004 (3.88) |
| Protection available since | 27 October 2004 19:51:19 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Zafi-C is a mass mailing email worm.
When first run W32/Zafi-C copies itself to the Windows system folder with the filename svchost.com. In order to run on system startup the worm creates the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
_svchost.con =
W32/Zafi-C harvests email addresses from files on the hard disk with the following file extensions:
ADB, ASP, DBX, EML, HTM, MBX, PHP, PMR, SHT, TBB, TXT, WAB
The worm avoids sending email to addresses containing the following strings:
aol
cafee
google
help
hoo.com
hotmail.co
info
kasper
micro
msn
panda
sopho
suppor
syma
trend
vir
webm
The email sent by W32/Zafi-C will have the following characteristics:
Subject line:
Network monitoring!
Please, send forward this letter!
Re: Please, send forward this letter!
Re: full time job for you!
Re: job details!
free mp3 list!
Re: very sick little girl!
Re: Your lover!
Re: CNM, Technology Company!
waiting for you!
Re: Expectant CoWorker!
Re: Can you!
Re: Hey buddy!
Re: offer!
send forward!
Re: call us back!
I`m off!
Thank you!
Re: please read!
Re: David Morgen, Office Manager!
Please,thanks!!
Re: give a little hope!
NOTE: Subjects may also contain substrings from the message body.
Message text:
Dear Expectant CoWorker!
We are offering a full time job for you.
Our company (CNM, Technology Company, 2004)
is the third fastest growing technology company in 2004.
Job Type: System and Network monitoring.
Requirements: Windows XP, 2000, 98 minimal expertise,
and networking skills.
If you accept our offer, please read the job details
document for the full description, and call us back.
Thank you,
David Morgen, Office Manager (CNM, Tech. 2004)
Email:
Ich hab dich so lieb!
Tisztelt Leendo Munkatars!
Onnek allast kinal a CNM, Media Services Kft,
informatikai rendszerfigyelo pozicio betoltesere.
Cegunk Magyarorszag egyik jelentos informatikai vallalata,
melyhez informatikaban jartas embereket keresunk.
Alapkovetelmenyek: Windows XP, 2000, valamint 98 halozati
ismeretek, valamint alapfoku angol tudas. Amenyiben elfogadja
ajanlatunkat, kerem olvassa el a reszleteket es jelezzen
vissza a mielobbi egyuttmukodes celjaert.
Tisztelettel: Takacs Laszlo, irodavezeto.
Email:
Please, send forward this letter, and you can give a little hope
to a very sick little girl, who is dying in the hospital, in 2004.
Please read the full story, and send forward!!
(xxxx)
Your lover is waiting for you tomorrow, so please hurry,hurry because..
(xxxx)
Miss you baby!
Whats you doing tomorrow? I`m off, so... I thought maybe we can...
Call me okay, before it`s too late...
(xxxx)
Hey buddy!
Can you send me one more of your free mp3 list? Please,thanks!
Tu es la pour moi.
Je te sens pres de moi.
Notre amitie
m'est precieuse.
Je t'aime beaucoup!
(xxxx)
Ich wunsche dir einen schonen feierabend!
Ich liebe dich!
(xxxx)
Fur dich, weil ich gerade an dich dachte! Kusschen!
(xxxx)
Heb ik je wel eens gezegd dat ik van je hou!
Ik hou zooooo veel van je !!!
Attached file:
attachment <long line of text> <spaces> .SCR or .EXE
attachment.doc <long line of text> <spaces> .SCR or .EXE
attachment.txt <long line of text> <spaces> .SCR or .EXE
attachment_title <long line of text> <spaces> .SCR or .EXE
attachment_title.doc <long line of text> <spaces> .SCR or .EXE
attachment_title.txt <long line of text> <spaces> .SCR or .EXE
document <long line of text> <spaces> .SCR or .EXE
document.doc <long line of text> <spaces> .SCR or .EXE
document.txt <long line of text> <spaces> .SCR or .EXE
document_title <long line of text> <spaces> .SCR or .EXE
document_title.doc <long line of text> <spaces> .SCR or .EXE
document_title.txt <long line of text> <spaces> .SCR or .EXE
letter <long line of text> <spaces> .SCR or .EXE
letter.doc <long line of text> <spaces> .SCR or .EXE
letter.txt <long line of text> <spaces> .SCR or .EXE
letter_title <long line of text> <spaces> .SCR or .EXE
letter_title.doc <long line of text> <spaces> .SCR or .EXE
letter_title.txt <long line of text> <spaces> .SCR or .EXE
mail <long line of text> <spaces> .SCR or .EXE
mail.doc <long line of text> <spaces> .SCR or .EXE
mail.txt <long line of text> <spaces> .SCR or .EXE
mail_title <long line of text> <spaces> .SCR or .EXE
mail_title.doc <long line of text> <spaces> .SCR or .EXE
mail_title.txt <long line of text> <spaces> .SCR or .EXE
message <long line of text> <spaces> .SCR or .EXE
message.doc <long line of text> <spaces> .SCR or .EXE
message.txt <long line of text> <spaces> .SCR or .EXE
message_title <long line of text> <spaces> .SCR or .EXE
message_title.doc <long line of text> <spaces> .SCR or .EXE
message_title.txt <long line of text> <spaces> .SCR or .EXE
word <long line of text> <spaces> .SCR or .EXE
word.doc <long line of text> <spaces> .SCR or .EXE
word.txt <long line of text> <spaces> .SCR or .EXE
word_title <long line of text> <spaces> .SCR or .EXE
word_title.txt <long line of text> <spaces> .SCR or .EXE
W32/Zafi-C creates copies of itself in folders shared by P2P applications with the filename "doom 3 keygen.exe".
The worm sets several entries under the following:
HKLM\Software\Microsoft\UpdateZ3\<several entries>
W32/Zafi-C then initates a distributed denial of service attack against a Hungarian website.
|
