The message subject and body text differs depending on the domain extension of the receiver’s email address. Target email addresses are collected on the local computer and extracted from several files like temporary internet files and email address books.
1. Creates mutex_Hazafibb
2. Prevents execution of the processes containing: regedit, msconfig, task, (eg: regedit, taskman, taskmon, mstask, msconfig)
3. Deletes the following files from Windows folder: fvprotect.exe winlogon.exe services.exe jammer2nd.exe
4. Checks if the computer is connected to the internet by attempting to contact google.com or microsoft.com
5. Searches for e-mail addresses in files matching: htm,wab,txt,dbx,tbb,asp,php,sht,adb,mbx,eml,pmr
6. Avoids e-mail addresses containing: win, use, info, help, admi, webm, micro, msn, hotm, suppor, syma, vir, trend, panda, yaho, cafee, sopho, google, kasper, msn, office, nero, icq, game, winra, winzi, divx, movie, total, wina
7. Stores found e-mail addresses in random named dll files in %SYSTEM% folder
8. Creates registry key and entries:
9. Uses it’s own SMTP engine to send itself to harvested e-mails. Attempts to obtain a smtp server address by adding smtp. or mx. etc to the domain from the harvested address or uses a default smtp address.
10. Creates copies of the virus in folders containing “share” or “upload” as winamp 7.0 full_install.exe and/or Total Commander 7.0 full_install.exe
11. Creates a thread that attempts to flood: www.parlament.hu, www.virusbuster.hu, www.virushirado.hu, www.2f.hu
12. May create files C:\SYS.TXT and _upload.exe
13. The virus contains the following string:
A hajlektalanok elhelyezeset, a bunteto torvenyek szigoritasat, es a HALALBUNTETES MEGSZAVAZASAT koveteljuk a kormanytol, a novekvo bunozes ellen!2004, jun, Pecs,(SNAF Team).
All antivirus vendors had protection for the Zafi.B worm with their latest updates. Symantec has a removal tool, and you could also use these free online scanners. Trend Micro’s free online scanner, Housecall, McAfee’s Stinger tool, or Panda Software’s ActiveScan. F-secure has a removal tool available in several formats.
Because Zafi.B may disable or overwrite existing antivirus products on infected machines, users may need to use one of the removal utilities or scanners mentioned above. If your antivirus has been overwritten, you will need to reinstall it when your system is free of Zafi.
The main infection is removed by deleting files in the Windows system folder and removing registry entries. If you’re not familiar with the Registry editor, you should probably use one of the removal tools mentioned above. While we highly recommend that you back up your registry before editing, you should be aware that the backup you make contains entries associated with Zafi.B. Since the files are deleted, you may get errors if you restore from the backup at a future date. Once your system has been cleaned, and is operating properly, you may want to delete the backup that has Zafi.B entries in it.
1. Turn off System Restore if you’re using Windows ME or XP. When you make changes to your system, Windows does a restoration checkpoint. If it does this while the system is infected, it may come back to re-infect later.
2. Restart the computer in Safe Mode. Since the Zafi.B worm creates running processes, and Windows doesn’t allow you to delete files connected with running processes, restarting is necessary. Using Safe mode prevents Windows from loading drivers and auto run entries so your system boots relatively clean. In addition, Zafi.B blocks the use of Regedit which is required below.
3. Run a full system scan with an updated antivirus scanner (or one of the online scanners mentioned above). If your scanner does not remove everything, follow the next few steps.
4. IMPORTANT: Your antivirus software should, during detection, produce a list of files associated with the W32/Zafi.B or W32/Erkez virus (depends on scanner). The files will be copies of the worm stored in the Windows system folder and shared folders mentioned above. You should set your antivirus to delete them. If not, delete them manually.
5. Make a backup of the registry before you edit. Delete the Run entries associated with Zafi.B from the registry. These will be:
and delete the key:
Also delete the key:
6. Exit the registry editor.
7. Re-enable System Restore, reboot machine.
8. Re-scan to be sure all files are clean.