Virus Database

I-Worm.Zafi

Description I-Worm.Zafi

This worm spreads via the Internet as an attachment to infected messages. It is 11776 bytes in size.
Characteristics of infected messages
Sender:
kepeslapok@meglep.hu
Message body:
Tisztelt felhasznalo!

Onnek kepeslapja erkezett!
A kepeslap feladoja: Leva
A lapot az alabbi cimen tudja megtekinteni:
http//matav.hu/viewcard/index=p4uo5683535GSb0123fhhf578840f0623cv2
vagy a mellekelt internetlink kattintasaval.

Udvozlettel: Matav e-card!
http//www.netezz.matav.hu/
Attachment name
link.matav.hu.viewcard.index42ADR4502HHJeTYWYJDF334GSDEv255
Propagation
The worm searches disks C, D, E, F, G, H for files with the following extensions, and harvests email addresses from these files:
adb
asp
avi
bmp
cab
com
dbx
dll
eml
exe
gif
htm
ico
iso
jpg
lnk
mbx
mp3
mpg
php
pk3
pmr
rar
sht
swp
tbb
txt
vxd
wab
wav
wmv
zip


If any of the words listed below are found in an address, the address will be ignored.
anti
avp
f-prot
gov
hotmail
microsoft
norton
panda
trendmicro
vir
Installation
The worm creates the following keys in the system registry:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
The key value is a link to a copy of the worm in the system directory. The file name is randomly generated by the worm.
[HKLMSoftwareMicrosoftHazafi]
The key values of R1 - RA are the user name, user email, links to a copy of the worm in the system directory and links to the files which contain the email addresses harvested by the worm. All file names are randomly generated by the worm.
Other
Immediately following launch, the worm checks the current system date. If the local system date is 01.05.2004, the following dialogue box will be displayed. The worm will not work after 02.05 2004.

The worm terminates the following processes:
dfw.exe
fsav32.exe
fsbwsys.exe
fsgk32.exe
fsm32.exe
fssm32.exe
fvprotect.exe
mcagent.exe
navapw32.exe
navdx.exe
navstub.exe
navw32.exe
nc2000.exe
ndd32.exe
netarmor.exe
netinfo.exe
netmon.exe
nmain.exe
nprotect.exe
ntvdm.exe
ostronet.exe
outpost.exe
pccguide.exe
pcciomon.exe
regedit.exe
regedit32.exe
taskmgr.exe
tnbutil.exe
vbcons.exe
vbsntw.exe
vbust.exe
vsmain.exe
vsmon.exe
vsstat.exe
winlogon.exe
zonalarm.exe

Check other viruses! Be aware! Use Antiviral Software

NRead.1467

Description NRead.1467

This is a very dangerous memory resident parasitic virus. It hooks INT 8, 9, 13h, 21h, and 28h. The INT 21h hooking is used for file infection - the virus writes itself to the end of .COM files that are executed or opened. INT 2Fh hooking is used for a "Are you here?" call when the virus is installing itself memory resident. Other hooks summon a trigger routine that in February displays a message and deletes all files on the current disk. The message appears as follows:
Network Read CRC Error
Re-reading Packet

NSD.266

Description NSD.266

It is a dangerous nonmemory resident parasitic virus. It searches for .COM and C:COMMAND.COM files, then writes itself to the end of the file. Depending on the system timer it sets the graphic video mode (INT 10h, AX=0013h), displays the message and halts PC:
SYSTEM ERROR: DMA DENIED.

The virus also contains the text string:
c:command.com
*.com
NSD

Home