Virus

W32/Zafi.D@mm

Analysis

This virus is 32-bit with a packed file size of 11,745 bytes. The virus contains instructions to spread via SMTP and to copy itself to folders with certain names in their title.
This virus will harvest email addresses from files with these extensions -
htm, wab, txt, dbx, tbb, asp, php, sht, adb, mbx, eml, pmr, fpt & inb.
The virus avoids selecting addresses which may have these names represented in the domain portion of the address -
yaho, google, win, use, info, help, admi, webm, micro, msn, hotm, suppor, syman, viru, trend, secur, panda, cafee, sopho & kasper
The virus uses a table of subject line choices and constructs one email per address found. Some of the texts for selection include these -
boldog karacsony...
Feliz Navidad!
Christmas Kort!
Christmas Vykort!
Christmas Postkort!
Christmas postikorti!
Christmas Atviruka!
Christmas - Kartki!
Weihnachten card.
Prettige Kerstdagen!
Christmas pohlednice
Joyeux Noel!
Buon Natale!
Merry Christmas!
The file name of the attached virus is commonly lengthy such as 'card.php7418.cmd' and could have any of the file extensions -
.cmd, .bat, .pif, .com or .zip
The virus writes up to six email addresses found into text files with a random prefix and .DLL extension into the System32 folder, such as these -
lggzwscd.dll
myzsnxmh.dll
nkqjexyb.dll
and so on.
Loading at Windows startup
The virus will register itself to run at each Windows startup by creating this registry key and value -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"Wxp4" = C:\WINNT\System32\Norton Update.exe
Registry Additions
The virus stores values into the registry that help in its assault against the host system -

  • listing of programs found in the "Program Files" folder
  • location and file name of utility files found on the host which have these strings in their file names - "firewall", "virus", "reged", "msconfig" or "task"
  • SMTP email settings
  • location and file names of .DLL files written containing harvest email addresses on the system

Below is an example of registry additions on a compromised host -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wxp4
"lA" = C:\Program Files\WinZip
"lB" = C:\Program Files\Zone Labs\ZoneAlarm
"lC" = C:\Program Files\InCtrl5
"lD" = C:\Program Files\Microsoft Office\Office
"lE" = C:\Program Files\Microsoft Office\Office\1033
"lF" = C:\Program Files\Ethereal
"mA" = C:\WINNT\regedit.exe
"mB" = C:\WINNT\TASKMAN.EXE
"mC" = C:\WINNT\system32\taskman.exe
"mD" = C:\WINNT\system32\taskmgr.exe
"mE" = C:\WINNT\system32\regedt32.exe
"mF" = C:\WINNT\system32\mstask.exe
"mG" = C:\WINNT\system32\dllcache\mstask.exe
"mH" = C:\WINNT\system32\dllcache\regedit.exe
"mI" = C:\WINNT\system32\dllcache\regedt32.exe
"mJ" = C:\WINNT\system32\dllcache\taskmgr.exe
"mK" = C:\WINNT\system32\dllcache\taskman.exe
"rC" = undefinedSMTP server nameundefined
"rD" = undefinedhex valuesundefined
"t1" = undefinedSMTP displayed nameundefined
"t2" = undefinedSMTP email address of hostundefined
"t3" = C:\WINNT\System32\Norton Update.exe
"t4" = C:\WINNT\System32\hwwpsoei.dll
"t5" = C:\WINNT\System32\lggzwscd.dll
"t6" = C:\WINNT\System32\bxkngbsm.dll
"t7" = C:\WINNT\System32\qysjxmpb.dll
"t8" = C:\WINNT\System32\fasenifc.dll
"t9" = C:\WINNT\System32\nkqjexyb.dll
"tA" = C:\WINNT\System32\zfsferkb.dll
"tB" = C:\WINNT\System32\fvviwsvn.dll
"tC" = C:\WINNT\System32\aottdpbg.dll
"tD" = C:\WINNT\System32\ijnltfmu.dll
"tE" = C:\WINNT\System32\ahjyzphv.dll
"tZ" = C:\WINNT\System32\myzsnxmh.dll
Miscellaneous
The virus contains code to initiate a denial of service attack against 'microsoft.com'. The DoS attack method is a simple GET request, sent multiple times. With many systems infected, it could cause a higher than normal HTTP strain on the target. With load balancing in place, and given the large number of serving systems, such an attack method is not expected to be significant.

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Prior to updating the AV db, Administrators can block the spread of this virus by using the file extension blocking feature of FortiGate systems. Blocking extensions .PIF, .COM, .CMD & .EXE is an effective means of preventing the spread of common mass-mailers such as this.