TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_ZAFI.D
Overview
Solution

Malware type: Worm

Aliases: W32/Zafi.d@MM, Email-Worm.Win32.Zafi.d, W32/Zafi-D, W32/Zafi.D.worm

In the wild: Yes

Destructive: No

Language: German

Platform: Windows 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Description: 

As of December 14, 2004 8:13 AM (PST), 11 days before Christmas, TrendLabs has declared a MEDIUM risk virus alert to control the spread of this mass-mailing worm. It has been found spreading in Germany, France, and Spain.

The effectivity of this worm owes much to the timeliness of its release in the wild and its use of email written in any of several languages, depending on the recipient address' domain. This technique has been used by previous ZAFI variants.

It uses its built-in Simple Mail Tranfer Protocol (SMTP) engine, which allows it to send malicious Christmas greetings without having to use other email applications like Outlook Express.

This worm sends email to addresses it has collected from different files on infected systems. The worm email is spoofed and may appear to have come from a familiar email address. As a general rule, users should avoid opening the attachments of unsolicited email.

For system administrators who wish to block the worm email, details are available on the Technical Details section.

Below are screenshots of sample email that it sends:

    Sample non-English worm email

    Sample worm email in English

This worm displays the following message box on systems where it is run:

    WORM_ZAFI.D error message box: CRC: 04F7Bh Error in packed file!

It acts as a backdoor opening TCP port 8181 to allow remote users to upload files into infected systems.

Moreover, to avoid easy detection and removal, it stops processes containing the following strings in their names:

  • msconfig
  • reged
  • task

This routine will allow it to successfully stop System Configuration Utility, Registry Editor, and Task Manager.

This worm drops the following files on infected systems:

  • WINAMP 5.7 NEW!.EXE
  • ICQ 2005A NEW!.EXE

It drops these files in folders containing the following strings:

  • share
  • upload
  • music

It drops the files to try propagating via shared folders. It assumes that folders containing the strings are shared in local networks or on peer-to-peer networks like KaZaA and Morpheus. P2P users looking for installers for Winamp and ICQ may inadvertently download copies of this worm instead.

It also drops a copy of itself as NORTON UPDATE.EXE and .DLL files with random 8-character file names.

This worm runs on Windows 98, ME, NT, 2000, and XP.

How do I check for infection?

Desktop users can look for the dropped files to check for infection on their computers.

Network administrators can check for increased mail server activity and SMTP (port 25) traffic. Activity on the worm backdoor port 8181 may also indicate infection

WORM_ZAFI.D Behavior Diagram

For additional information about this threat, see:
Solution
Technical Details

Description created: Dec. 14, 2004 7:28:39 AM GMT -0800
Description updated: Dec. 14, 2004 3:09:05 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.