A new worm - W32.Zafi.B@mm
June 15, 2004
Worm
- W32.Zafi.B@mm (English Version Only) |
Alias W32/Zafi.b, Worm_Zafi.B, Zafi.B, PE_PAFI.B,
W32.Erkez.B@mm Description W32.Zafi.B@mm is a mass-mailing worm
that sends email messages by using its own SMTP engine and spoofing the
"From:" address. The email message may arrive with a random
named attachment. Also, the worm will also propagate through P2P and
copy itself to the folder with "share" or "upload" string
contained in the folder name in the local system. The following file
will be dropped: o
winamp
7.0 full_install.exe o
Total Commander 7.0 full_install.exe Once the worm is executed, several
additional files will be created to the Windows Systems Directory with a
random .DLL or .EXE name. For detail description of email message
format, please refer to Appendix . When the worm's file is run, the
following Registry key will be added: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "_Hazafibb"
= "%SysDir%\<random>.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\_Hazafibb Payload
but
does not include e-mail address with:
@
Solution New virus definition is available
from anti-virus vendors to detect and remove this virus. If you do not
install any anti-virus program, you can download the following removal tools
to clean it. Sophos http://www.sophos.com/support/disinfection/worms.html Symantec Mcafee F-Secure Information
provided from hkcert.org |