a-squared Malware-Info

Name: Worm.Win32.Zafi.D

Description:

General

Worm.Win32.Zafi.d is a worm that spreads using filesharing tools and emails. The worm is compressed using FSG and has a size of 11,745 bytes.

As soon as Worm.Win32.Zafi.D was started it copies itself to the Windows System directory using the file name "Norton Update.exe". To ensure its startup on every reboot of the computer it uses the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "Wxp4"="%system%\Norton Update.exe"

The worm creates several other files with packed copies of it self or with components the worm uses. These files are:

%system%\ .DLL
C:\s.cm

Spreading

Worm.Win32.Zafi.D searches for files that extensions contain one of the following strings to extract mail addresses from them:

htm 
wab 
txt 
dbx 
tbb 
asp 
php 
sht 
adb 
mbx 
eml 
pmr 
fpt
inb

Email addresses containing one of the following strings will be ignored:

yaho 
google 
win 
use 
info 
help 
admi 
webm 
micro 
msn 
hotm 
suppor 
syman 
viru 
trend 
secur 
panda 
cafee 
sopho 
kasper

Found email addresses are saved in random named files (8 random chars + ".dll") within the Windows System directory.

The worm mails try to stealth theirself as christmas greetings. Depending on the email address the worm uses diffrent texts in diffrent languages.

Beside the normal email spreading the worm can use several FileSharing networks for spreading. Therefore the worm copies itself to directories that contain the following strings within their names:

share 
upload
music

In doing so the worm uses the filenames "winamp 5.7 new!.exe" or "ICQ 2005a new!.exe".

Payload

To protect itself the worm will try to terminate several anti-virus tools and programs that names contain one of the following strings: 

reged 
msconfig 
task

Beside that self defending behaviour Worm.Win32.Zafi.D includes a backdoor component listening to port 8181. This backdoor allows attackers to upload and execute files to an infected machine.

Other special features

Currently no special features are known.

Removal instructions for Worm Zafi D:

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

More details about this danger:

Additional information might be found here:

Search at Google for Worm Zafi D Search at Google for Worm Zafi D
Search at Bing for Worm Zafi D Search at Bing for Worm Zafi D
Search at Yahoo for Worm Zafi D Search at Yahoo for Worm Zafi D

How can I protect myself from Worm Zafi D?

Important!
You essentially need an antivirus product, that is not only able to clean infections, but also protect your PC permanently from new dangers. This is the only way to prevent data loss and unnecessary hassle and costs of new installations of your operating system.

Take your chance and buy the multiple awarded protection software a-squared Anti-Malware today!

Only $40 for the security of your computer.

Buy a-squared Anti-Malware online:

Buy a-squared Anti-Malware now

Trust only on the best protection software!

Best In Test!

a-squared Anti-Malware is the best of 19 tested antivirus programs - Test by MRG - Malware Research Group - June 2009
More independent reviews of anti-malware software