Worm Win32.Zafi.B and its removal

    The new internet worm Zafi.B spreads very fast mainly via email attachments, but also via filesharing networks.

    The message subject and body text differs depending on the domain extension of the receiver’s email address. Target email addresses are collected on the local computer and extracted from several files like temporary internet files and email address books.


    Once the file has been executed, it will do following:

    1. Creates mutex_Hazafibb
    2. Prevents execution of the processes containing: regedit, msconfig, task, (eg: regedit, taskman, taskmon, mstask, msconfig)
    3. Deletes the following files from Windows folder: fvprotect.exe winlogon.exe services.exe jammer2nd.exe
    4. Checks if the computer is connected to the internet by attempting to contact google.com or microsoft.com
    5. Searches for e-mail addresses in files matching: htm,wab,txt,dbx,tbb,asp,php,sht,adb,mbx,eml,pmr
    6. Avoids e-mail addresses containing: win, use, info, help, admi, webm, micro, msn, hotm, suppor, syma, vir, trend, panda, yaho, cafee, sopho, google, kasper, msn, office, nero, icq, game, winra, winzi, divx, movie, total, wina
    7. Stores found e-mail addresses in random named dll files in %SYSTEM% folder
    8. Creates registry key and entries:
    [HKEY_LOCAL_MACHINE\Software\Microsoft\_Hazafibb]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"_Hazafibb"="%SYSTEM%\%random%.exe"]
    9. Uses it’s own SMTP engine to send itself to harvested e-mails. Attempts to obtain a smtp server address by adding smtp. or mx. etc to the domain from the harvested address or uses a default smtp address.
    10. Creates copies of the virus in folders containing “share” or “upload” as winamp 7.0 full_install.exe and/or Total Commander 7.0 full_install.exe
    11. Creates a thread that attempts to flood: www.parlament.hu, www.virusbuster.hu, www.virushirado.hu, www.2f.hu
    12. May create files C:\SYS.TXT and _upload.exe
    13. The virus contains the following string:
    A hajlektalanok elhelyezeset, a bunteto torvenyek szigoritasat, es a HALALBUNTETES MEGSZAVAZASAT koveteljuk a kormanytol, a novekvo bunozes ellen!2004, jun, Pecs,(SNAF Team).

    Removal:

    All antivirus vendors had protection for the Zafi.B worm with their latest updates. Symantec has a removal tool, and you could also use these free online scanners. Trend Micro’s free online scanner, Housecall, McAfee’s Stinger tool, or Panda Software’s ActiveScan. F-secure has a removal tool available in several formats.

    Because Zafi.B may disable or overwrite existing antivirus products on infected machines, users may need to use one of the removal utilities or scanners mentioned above. If your antivirus has been overwritten, you will need to reinstall it when your system is free of Zafi.

    The main infection is removed by deleting files in the Windows system folder and removing registry entries. If you’re not familiar with the Registry editor, you should probably use one of the removal tools mentioned above. While we highly recommend that you back up your registry before editing, you should be aware that the backup you make contains entries associated with Zafi.B. Since the files are deleted, you may get errors if you restore from the backup at a future date. Once your system has been cleaned, and is operating properly, you may want to delete the backup that has Zafi.B entries in it.

    1. Turn off System Restore if you’re using Windows ME or XP. When you make changes to your system, Windows does a restoration checkpoint. If it does this while the system is infected, it may come back to re-infect later.
    2. Restart the computer in Safe Mode. Since the Zafi.B worm creates running processes, and Windows doesn’t allow you to delete files connected with running processes, restarting is necessary. Using Safe mode prevents Windows from loading drivers and auto run entries so your system boots relatively clean. In addition, Zafi.B blocks the use of Regedit which is required below.
    3. Run a full system scan with an updated antivirus scanner (or one of the online scanners mentioned above). If your scanner does not remove everything, follow the next few steps.
    4. IMPORTANT: Your antivirus software should, during detection, produce a list of files associated with the W32/Zafi.B or W32/Erkez virus (depends on scanner). The files will be copies of the worm stored in the Windows system folder and shared folders mentioned above. You should set your antivirus to delete them. If not, delete them manually.
    5. Make a backup of the registry before you edit. Delete the Run entries associated with Zafi.B from the registry. These will be:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    and delete the key:
    “_Hazafibb”=”%system%\.exe”
    Also delete the key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\_Hazafibb
    6. Exit the registry editor.
    7. Re-enable System Restore, reboot machine.
    8. Re-scan to be sure all files are clean.

    Sources: Pcmag | BitDefender

Content Protection by DMCA.com

Comments

  1. Anonymous says

    currently have been infected with this worm

    after having run symantec corporate edition the registry keys have been deleted

  2. Anonymous says

    Got this virus yesterday through an email from a family member (unbeknownst to them) asking me to click on a link to access a voicemail from them. I really should have known better. Also, I didn’t download the Perfect Defender fake software afterwards, but both of my internet browsers were hijacked anyway. BTW, I have Windows XP Professional and use McAfee.

    After reading several different threads about win32.zafi.b from my hubby’s laptop, and my McAfee scan still couldn’t t find anything, I was lucky to have the simplest solution work for me (and didn’t have to download anything!)
    1. Re-booted in Safe Mode (F8)
    2. To be on the safe side (and I don’t know this was necessary), I disabled suspicious files (see below) in under the Startup tab (Start–Run–msconfig–startup)
    3. Searched for odd looking exe and dll files in C:\DOCUMENTS AND SETTINGS\username\Application Data\Google (had to actually type this in to find the folders; also did google searches on exe and dll files to find out if they were legit or not); for me, the two virus files were: vgwsn871850.exe and ptnmsnn.dll;
    4. Also deleted same ptnmsnn.dll file under C:\WINDOWS\Prefetch

    Restarted computer, ran McAfee virus check again, cleaned up disk space, defragged, and backed up my files…all good now!

    Also, another thread suggested turning off System Restore before starting, then turning back on after finished de-bugging. Again, don’t know if necessary, but I did that too. Good luck to you guys! ~Yvonne

  3. Anonymous says

    thanks Yvonne! your method worked great for me. the file names were different on my computer, but in the same locations. after deleting them in safe mode, everything was running normally after the restart.

  4. Anonymous says

    Had the same problem with Zafi infection.I used Mcafee Stinger s/w(free) from Mcafee website.It fixed the problem.Just follow instructions for your system.If you cannot get to internet, go to another computer and download the s/w to a disc and then install and run on infected computer.Worked for me without having to manually change anything.

  5. Anonymous says

    Thank you so much! I actually paid for new antispyware software which failed to try and get rid of this before I found this post. It was so simple, I didn’t even have the perfect defender, just the win32.zafi.B, but it still completely hijacked my anti-virus software and both internet browsers. All better no though, thanks Yvonne!

  6. Anonymous says

    Had this start happening last night…shut down the computer for the night after 1 or 2 of the spyware apps couldn’t detect it…and then one froze in the middle. I shut down and now am trying to log on to windows and it starts to apply settings and then logs me back off again. It also does this when i try to log-on thru safe mode.

    pleaes help!

  7. Anonymous says

    Yvonne,
    Awesome! Thanks so much. I tried 3 free anti-spyware programs. None of which could find win32.zafi.b But your easy solution was just that: easy and a solution. Thanks much!

    Lane

  8. Anonymous says

    Thanks Yvonne. I was hit by this not by email, but by a PDF program on a website that opened on its own while I was reading an article. I immediately was suspicious because the PDF file took a massive amount of memory.

    Afterwards, my computer rebooted & I started getting the worm warnings. I couldn't open MSN/Windows Live Messenger or Firefox/IE (which I do not use). Luckily, I have the Opera browser. That's when I found this page & followed your suggestion.

    I used Killbox.exe to delete the processes in safe mode. Problem solved.

    Once again, thanks for your suggestion.

    -Bruce

  9. David says

    Thank you. Thank you. Thank you, Yvonne. I spent a few hours doing a McAfee full-scan and Stringer scan in the Safe Mode, but they didn’t help at all. I followed your instructions and they worked like a charm.
    – David

  10. Anonymous says

    Maybe I’m being a little paranoid, but I’m going to format and reinstall everything. This thing jumped onto my system off a shareware/freeware web page (a seemingly legit one) that ran an activex, launched an svchost (which my firewall did not stop, as it was a permitted process) that I assume downloaded an executable, created some registry keys and proceeded to reboot my machine. I stopped the reboot, pulled the drive and went from there, but I’m just saying, this was the most agressive thing I’ve ever seen malware do, so keep your eyes open for awhile and make sure it doesn’t come flying up out of the bathtub.
    –Chris

  11. Anonymous says

    This Zafi.B forced a restart of my machine as well, however I found files in the same exact places as Yvonne. After removing all of those in safe mode and deleting associated registry keys, I noticed the the malware had also placed several .gif images into my \username\application data\ directory, images that it had used to mimic the Windows Firewall symbols of the color-coded shields. I noted the ‘Modified’ time on these files and then did a search for all files on my hard drive last modified on the same day. I’m sure it helped that I left my computer off for most of the day after this issue occurred, but I found 6 more .exe files, 3 .dll files, and many other suspicious looking files created the exact same minute as all the .gifs. I would recommend this search to anyone else with this issue as the .exe files seemed to be copies of the virus. Outside of that however, thank you SOOOO much Yvonne for your solution, and Xphunt3r for this post, because I had tried 4 different ‘cleaner’ programs with no luck, and even Microsoft’s ‘Malware Removal Tool’ (which lists Zafi in the list of problems that it can correct as of the Feb. 09 update) didn’t even detect a malicious file or program. Thanks again.

  12. Anonymous says

    I dont delete emails nor did i get an email containing anything like the above but i still got the Win32Zafi.B infection. Just saying so whom ever gives the info can see if there is any more possible ways to get this infection for future safety.^^ thanks for the ways to get rid of it. help a lot.
    your friend, anon.

  13. Anonymous says

    Malwarebytes Anti-Malware (free) cleared this problem up for me whilst in safe mode. I also followed the steps Yvonne suggested and deleted a .dll in the google folder (mine was named spclpt32.dll), however this wasn’t picked up by any anti-spyware, it was created at the same time as the exe, which the scanner removed, so I removed it just to be safe.

    I got the virus after watching a divx/flv movie on joox.net, not via email.

    Laptop is back to full working order now.

    Cheers, Mack

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

CommentLuv badge