Worm.Win32.Zafi.B Alert!

The new internet worm Zafi.B spreads very fast mainly via email attachments, but also via filesharing networks. The message subject and body text differs depending on the domain extension of the receiver's email address. Target email addresses are collected on the local computer and extracted from several files like temporary internet files and email addressbooks.

Infection
Once opened and installed, the worm sets an autorun entry at the system registry. If it is run, the worm spreads itself to all available email addresses. It also runs a module that attempts to flood some Hungarian websites.

The email text is available in many languages. The text advises the user to open the file attachment which seems to be a greating card. Here is an example of the English email:

Subject: You`ve got 1 VoiceMessage!
Body: Dear Customer!

You`ve got 1 VoiceMessage from voicemessage.com website!
Sender:
You can listen your Virtual VoiceMessage at the following link:
http://virt.voicemessage.com/index.listen.php2=35affv
or by clicking the attached link.

Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).

Attachment: link.voicemessage.com.listen.index.php1Ab2c.pif

Zafi.B can be detected and removed with a² with the latest signature updates loaded. The a² background guard blocks the worm immediately if it is started.

A more detailed description of the worm can be found at the a² Malware Database:
http://wwwemsisoft.com/en/malware/?Worm.Win32.Zafi.B

6/14/2004 - Discuss this article in the forum


How would you rate the quality of this content?
    Rating: 8.80/10
41 votes
Poor ⇒    ⇐ Outstanding

Spring Offer!

Don't miss this: To your bought 1-year license of Emsisoft Anti-Malware or Emsisoft Internet Security Pack or higher you can now get a free license of the CyberGhost Anonymizer for free.
Your advantage: Surf anonymously and visit websites that are restricted in your country.

Only a few days left! Order here

Best In Test!