Malware type: File Infector

Aliases: W32.Erkez.B@mm, W32/Zafi.b@MM, I-Worm.Zafi.b, W32/Zafi-B, Win32/Zafi.Variant!Worm, Win32.Zafi.B[worm], Win32.Hazafi.30720, Win32:Zafi-B, Worm/Zafi.B, I-Worm.Win32.Zafi.12800, Zafi

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Description: 

This memory-resident file infector propagates via email and peer-to-peer (P2P) applications. It drops copies of itself using random file names and with either of the following file extensions:

• EXE
• DLL

To propagate via email, it sends itself to addresses it finds in files that have particular extension names. It specifies a mail server by attaching certain strings to the given domain in a target email address. It also avoids sending email messages to addresses that specific strings.

To spread through P2P file-sharing applications, it drops copies of itself in folders that contain the following strings in their names:

• share
• upload

It attempts to infect .EXE files, which it finds in random folders, by overwriting them. It deletes the files and then drops copies of itself using the same file names of the deleted files.

It also opens a random link previously visited by an infected user.

This file infector is compressed using FSG and runs on Windows 95, 98, ME, NT, 2000 and XP.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jun. 10, 2004 4:17:36 PM GMT -0800
Description updated: Jun. 10, 2004 6:27:31 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.