I-Worm.Zafi.b
Description I-Worm.Zafi.b
This worm spreads via the Internet as an attachment to infected messages, and also via local and file-sharing networks.
It is written in Assembler, and packed using FSG. It is 12800 bytes in packed form, and 33292 in unpacked form.
Installation
Once launched, the worm copies its file to the Windows system directory. The name of the file is randomly generated.
The worm registers this file as an entry in the system registry to be run every time the system is started:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"_Hazafibb"="%system%[file name]"
The worm creates the mutex _Hazafibb to flag its presence in the system.
This is to prevent multiple copies of the worm being run at the same time
It stops the following processes and deletes the files from disk:
fvprotect.exe
winlogon.exe
jammer2nd.exe
services.exe
Propagation via email
The worm harvests email addresses from files with the following extensions:
htm
wab
txt
dbx
tbb
asp
php
sht
adb
mbx
eml
pmr
It does not send messages to addresses which contain text from the list below:
win
use
info
help
admi
webm
micro
msn
hotm
suppor
syma
vir
trend
panda
yaho
cafee
sopho
google
kasper
There is a range of text used in infected messages. The text is chosen according to the recipient's domain name.
Domain .hu
Sender:
Anita
Message header:
Ingyen SMS!
Message body:
------------------------ hirdetÝs -----------------------------
A sikeres 777sms.hu Ýs az axelero.hu tÓmogatÓsÓval �jra
indul az ingyenes sms k?ld? szolgÓltatÓs! Jelenleg ugyan
korlÓtozott szÓmban, napi 20 ingyen smst lehet felhasznÓlni.
K?ldj te is SMST! NehÓny kattintÓs Ýs a mellÝkelt regisztrÓci?s
lap kit?ltÝse utÓn azonnal igÝnybevehet?! B?vebb informÓci?t
a www.777sms.hu oldalon talÓlsz, de siess, mert az els? ezer
felhasznÓl? k?z?tt ÝrtÝkes nyeremÝnyeket sorsolunk ki!
------------------------ axelero.hu ---------------------------
Attachment name:
regiszt.php?3124freesms.index777.pif
Domain .sp
Sender:
Claudia
Message header:
Importante!
Message body:
Informacion importante que debes conocer, -
Attachment name:
link.informacion.phpV23.text.message.pif
Domain .ru
Sender:
Katya
Message header:
Katya
Message body:
DAúADAOIUå OEIEøIEãU, ÐÉÓÁ_ÝÉÅ ÄÅ×ÕoËÉ, ÁÎÁÌØÎÁÑ ÍÁÓÔÕdÂÁÃÉÑ,
dÕËÁ × ÁÎÕÓÅ É ×ÓÅ ÉÚ×ÅÓÔÎÙÅ ÐÏÌÏ×ÙÅ ÉÚ×dÁÝÅÎÉÑ.
IÉÓÁ_ÝÉÅ ÄÅ×ÕoËÉ dÁÚ×dÁÔÎÙÅ oËÏÌØÎÉÃÙall
Attachment name:
view.link.index.image.phpV23.sexHdg21.pif
Domain .dk
Sender:
Eva
Message header:
E-Kort!
Message body:
Mit hjerte banker for dig!
Attachment name:
link.ekort.index.phpV7ab4.kort.pif
Domain .ro
Sender:
Marica
Message header:
Ecard!
Message body:
De cand te-am cunoscut inima mea are un nou ritm!
Attachment name:
link.showcard.index.phpAv23.ritm.pif
Domain .se
Sender:
Anna
Message header:
E-vykort!
Message body:
Till min Alskade...
Attachment name:
link.vykort.showcard.index.phpBn23.pif
Domain .no
Sender:
Erica
Message header:
E-Postkort!
Message body:
Vakre roser jeg sammenligner med deg...
Attachment name:
link.postkort.showcard.index.phpAe67.pif
Domain .fi
Sender:
Katarina
Message header:
E-postikorti!
Message body:
Iloista kesaa!
Attachment name:
link.postikorti.showcard.index.phpGz42.pif
Domain .lt
Sender:
Magdolina
Message header:
Atviruka!
Message body:
Linksmo gimtadieno!
Attachment name:
link.atviruka.showcard.index.phpGz42.pif
Domain .pl
Sender:
Beate
Message header:
E-Kartki!
Message body:
W Dniu imienin...
Attachment name:
link.kartki.showcard.index.phpVg42.pif
Domain .pt
Sender:
Eva
Message header:
Cartoe Virtuais!
Message body:
Te amo...
Attachment name:
link.cartoe.viewcard.index.phpYj39.pif
Domain .de
Sender:
Alice
Message header:
Flashcard fuer Dich!
Message body:
Hallo!
hat dir eine elektronische Flashcard geschickt.
Um die Flashcard ansehen zu koennen, benutze in deinem Browser
einfach den nun folgenden link:
http://flashcard.de/interaktiv/viewcards/view.php3?card=267BSwr34
Viel Spass beim Lesen wuenscht Ihnen ihr...
Attachment name:
link.flashcard.de.viewcard34.php.2672aB.pif
Domain .nl
Sender:
Eva
Message header:
Er staat een eCard voor u klaar!
Message body:
Hallo!
heeft u een eCard gestuurd via de website nederlandse
taal in het basisonderwijs...
U kunt de kaart ophalen door de volgende url aan te klikken of te
kopiren in uw browser link:
http://postkaarten.nl/viewcard.show53.index=04abD1
Met vriendelijke groet,
De redactie taalsite primair onderwijs...
Attachment name:
postkaarten.nl.link.viewcard.index.phpG4a62.pif
Domain .cz
Sender:
Hanka
Message header:
Elektronicka pohlednice!
Message body:
Ahoj!
Elektronick pohlednice ze serveru http://www.seznam.cz
Attachment name:
link.seznam.cz.pohlednice.index.php2Avf3.pif
Domain .fr
Sender:
Claudine
Message header:
E-carte!
Message body:
vous a envoye une E-carte partir du site zdnet.fr
Vous la trouverez, l'adresse suivante link:
http://zdnet.fr/showcard.index.php34bs42
www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web
en 5 minutes, du dialogue en direct...
Attachment name:
link.zdnet.fr.ecarte.index.php34b31.pif
Domain .it
Sender:
Francesca
Message header:
Ti e stata inviata una Cartolina Virtuale!
Message body:
Ciao!
ha visitato il nostro sito, cartolina.it e ha creato una
cartolina virtuale per te! Per vederla devi fare click
sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a
Attenzione, la cartolina sara visibile sui nostri server per
2 giorni e poi verra rimossa automaticamente.
Attachment name:
link.cartoline.it.viewcard.index.4g345a.pif
Domain .mx
1.
Sender:
Jennifer
Message header:
You`ve got 1 VoiceMessage!
Message body:
Dear Customer!
You`ve got 1 VoiceMessage from voicemessage.com website!
Sender:
You can listen your Virtual VoiceMessage at the following link:
http://virt.voicemessage.com/index.listen.php2=35affv
or by clicking the attached link.
Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).
Attachment name:
link.voicemessage.com.listen.index.php1Ab2c.pif
2.
Sender:
Anita
Message header:
Soxor Csok!
Message body:
Szia!
Aranyos vagy, j? volt dumcsizni veled a neten!
RemÝlem tetszem, Ýs szeretnÝm ha te is k?ldenÝl kÝpet
magadr?l, addig is cs?k:
Attachment name:
anita.image043.jpg.pif
Domain .at
1.
Sender:
Anita
Message header:
Tessek mosolyogni!!!
Message body:
Ha ez a kÝp sem tud felviditani, akkor feladom!
Sok puszi:
Attachment name:
meztelen csajok fociznak.flash.jpg.pif
2.
Sender:
Jennifer
Message header:
Don`t worry, be happy!
Message body:
Hi Honey!
I`m in hurry, but i still love ya...
(as you can see on the picture)
Bye - Bye:
Attachment name:
www.ecard.com.funny.picture.index.nude.php356.pif
For all other domains, the message will be as follows:
Sender:
David
Message header:
Check this out kid!!!
Message body:
Send me back bro, when you`ll be done...(if you know what i mean...)
See ya,
Attachment name:
jennifer the wild girl xxx07.jpg.pif
Propagation via local and file-sharing networks
The worm copies itself to all folders where the folder name contains the words:
share
upload
The name of the worm file will be chosen from the following list:
winamp 7.0 full_install.exe
Total Commander 7.0 full_install.exe
Other
It creates the file sys.txt in the root catalogue of the C: disk.
It attempts to detect antivirus program files on the computer and overwrite them with a copy of itself.
It also attempts to conduct DoS attacks on the following sites:
www.2f.hu
www.parlament.hu
www.virusbuster.hu
www.virushirado.hu
Check other viruses! Be aware! Use Antiviral Software
AT-Corp.363
Description AT-Corp.363
This is a harmless memory resident parasitic virus. It hooks INT 13h and writes itself into free space (cave) in EXE-header when such headers are accessed with INT 13h (the corresponding sectors are read/written via INT 13h). The length of the file does not grow while infecting.
The virus contains the text string:
(c) AT Corp. 1994
AT.Batalia3,Batalia4
Description AT.Batalia3,Batalia4
These are harmless nonmemory resident parasitic BAT viruses. They search for BAT files in the current directory, then infect them. While infecting a file the viruses run the ARJ archiver to the pack necessary files. If there is no ARJ.EXE file in PATH, the viruses fail to replicate themselves.
The viruses contain two parts of code and data. The first part (the header) contains DOS commands:
"Batalia3": "Batalia4":
@echo off @echo off
rem YYY rem BAT4
arj x %0 -g""bÑpß >nul arj x %0 >nul
ren p Int call i
call i del sg
ren Int a.bat del i.bat
echo on
@call a
@echo off
del i.bat
del a.bat
del BATalia3
The second part (the rest) is an ARJ archive. This archive contains the I.BAT file that is the main virus code and the additional files:
"Batalia3": P, BATALIA3
"Batalia4": SG
The SG and BATALIA3 files contain several additional batch commands. The P file contains original code of infected BAT file (in case of "Batalia3" virus).
So, any infected file contains the text strings (DOS commands) and the binary data (ARJ archive).
When executed, the virus runs the ARJ archiver, extracts the files I.BAT and SG and runs I.BAT. This batch file searches for not infected BAT files in the current directory and infects them.
While infecting, the "Batalia4" virus appends its code to the end of files and does not modify the original file contents. "Batalia3" saves original BAT file to ARJ archive (file P) and overwrites it. As a result the length of a file infected by "Batalia3" may be less than before infection.
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
|