The worm spreads via the Internet as an attachment to infected messages, and also via file-sharing networks.
It sends itself to email addresses harvested from the infected computer.
The worm itself is a Windows PE EXE file, approximately 12KB in size, packed using FSG. The unpacked file is approximately 37KB in size.
The worm contains a backdoor.
Installation
Once launched, the worm displays the following dialogue box:
When installing, the worm copies itself to the Windows system directory as 'NortonUpdate.exe' and registers this file in the system registry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Wxp4" = C:\WINDOWS\SYSTEM32\Norton Update.exe
This ensures a copy of the worm will be launched each time the infected
machine is rebooted.
The worm also creates files in the Windows system directory which have random names, and a .dll extension.
For example:
%System%\csnhzdsb.dll
%System%\gzapvzry.dll
%System%\hrdkwxwu.dll
%System%\icvwceot.dll
Email addresses harvested from the victim machine are saved to these files.
Zafi.d also creates the following entry in the system registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wxp4]
Wxp4 is the worm's identifier, which flags its presence in the system.
Propagation via email
The worm harvests email addresses from the MS Windows address book, and also from files with the following extensions:
adb
asp
dbx
eml
fpt
htm
inb
mbx
php
pmr
sht
tbb
txt
wab
All harvested addresses will be saved in the .dll files which the worm has created in the Windows system directory.
The worm does not send messages to addresses which contain the following text strings:
admi
cafee
google
help
hotm
info
kasper
micro
msn
panda
secur
sopho
suppor
syman
trend
use
viru
webm
win
yaho
Zafi.d establishes a direct connection to the recipient's SMTP server in order to send messages.
Infected messages
Infected messages are sent in a variety of languages. The language of the infected messages is determined by the recipient's domain name.
Message subject (chosen from the list below):
Merry Christmas!
boldog karacsony...
Feliz Navidad!
ecard.ru
Christmas Kort!
Christmas Vykort!
Christmas Postkort!
Christmas postikorti!
Christmas - Kartki!
Weihnachten card.
Prettige Kerstdagen!
Christmas pohlednice
Joyeux Noel!
Buon Natale!
Message body (chosen from the list below):
- Happy HollyDays!
:) [Sender]
- Kellemes Unnepeket!
:) [Sender]
- Feliz Navidad!
:) [Sender]
- Glaedelig Jul!
:) [Sender]
- God Jul!
:) [Sender]
- Iloista Joulua!
:) [Sender]
- Naulieji Metai!
:) [Sender]
- Wesolych Swiat!
:) [Sender]
- Fröhliche Weihnachten!
:) [Sender]
- Prettige Kerstdagen!
:) [Sender]
- Veselé Vánoce!
:) [Sender]
- Joyeux Noel!
:) [Sender]
- Buon Natale!
:) [Sender]
Attachment name
The attachment name is randomly generated. It contains the word 'postcard' in a language which corresponds to the recipient's domain name and a long string of random characters. The attachment name will have one of the following extensions:
.bat
.cmd
.com
.pif
.zip
Propagation via local and file-sharing networks:
Zafi.d copies itself to all files where the file name contains one of the following text strings:
music
share
upload
The worm copies itself to these folders under a name chosen from the list below:
winamp 5.7 new!.exe
ICQ 2005a new!.exe
For example:
c:\Program Files\Common Files\Microsoft Shared\ ICQ 2005a new!.exe
Remote administration
The worm opens TCP port 8181 on the victim machine in order to receive commands. The backdoor offers a malicious remote attacker full access to the infected computer. In addition to this, files can be downloaded from the Internet and launched on the victim machine.
Payload
Zafi.d attempts to detect and terminate firewall and antivirus applications on infected machines, by overwriting the application files with a copy of itself.
Check out if we have free
removal tool for this virus
