copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » AusCERT N... » AL-2004.042 -- Increased Virus Activity -- New Zafi ...
 

AL-2004.042 -- Increased Virus Activity -- New Zafi Variant
Date: 15 December 2004

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2004.042 -- AUSCERT ALERT
                         Increased Virus Activity
                             New Zafi Variant
                             15 December 2004

===========================================================================

        AusCERT Alert Summary
        ---------------------

Operating System:  Windows
Impact:            Execute Arbitrary Code/Commands
Access:            Remote/Unauthenticated

Comment: AusCERT has produced an article "Protecting your computer from
         malicious code", available at: http://www.auscert.org.au/3352

- --------------------------BEGIN INCLUDED TEXT--------------------

PROBLEM:  

	AusCERT has been made aware of media attention regarding activity
	due to a new ZAFI worm known as Zafi.D [1],[2],[3],[4],[5] and
	Erkez.D [6].

	
OVERVIEW: 

	Zafi.D is a mass-mailing worm affecting Windows systems which
	attempts to entice a user to run a malicious email attachment.
	The worm also spreads via Peer-to-Peer file sharing applications.


IMPACT:   

	Details of the email messages include:

	The subject line may begin with "Re: or "Fw:", following with:

	Merry Christmas!
	boldog karacsony...
	Feliz Navidad!
	ecard.ru
	Christmas Vykort!
	Christmas Postkort!
	Christmas postikorti!
	Christmas Atviruka!
	Christmas - Kartki!
	Weihnachten card.
	Prettige Kerstdagen!
	Christmas pohlednice
	Joyeux Noel!
	Buon Natale!


	Attachment:

	The attachment name typically contains the word "Postcard" and may 
	use the words: "link", "Christmas" or "index" as part of the filename. 
	The attachment is 11,745 bytes.


	Attachment Extension:

	.zip
	.cmd
	.bat
	.pif
	.com


	Message Body:

	The body of the emails sent by this worm are in the form of a
	Christmas greeting, and like previous versions of this worm, the
	language is determined by the Top Level Domain of the recipients
	email address.  For Example, users with a .com or .org email
	address will typically receive an English email, while recipients
	with a .fr will receive a French version of the email.


	Peer-To-Peer:

	The worm copies itself to any directories which contains the
	following words in their name:

	share
	upload
	music


	Filename:

	The worm copies itself to the above mentioned directories using
	one of the following filenames:

	winamp 5.7 new!.exe
	ICQ 2005a new!.exe


	Infection:

	Upon execution, the worm copies itself to %system%\Norton
	Update.exe.  The worm then sets the following registry key to
	enable itself to run automatically when Windows starts:

	HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Wxp4="%system%\Norton Update.exe".

	%system% is a variable which by default points to the following
	locations:

	Windows 9x/ME:		C:\Windows\System
	Windows NT/2000:	C:\winnt\System32
	Windows XP/2003		C:\Windows\System32

	The worm then collects email addresses from files with the
	following extensions on local disks:

	htm
	wab
	txt
	dbx
	tbb
	asp
	php
	sht
	adb
	mbx
	eml
	pmr
	fpt
	inb

	The worm also also searches the Windows Address Book, the location
	of which is retrieved from the following registry key:

	HKCU\Software\Microsoft\WAB\WAB4\Wab File Name\(Default)

	The worm uses its own SMTP engine to propagate.
	
	
MITIGATION: 

	AusCERT recommends upgrading all anti-virus software to use the
	latest definition files as soon as they become available. See the
	anti-virus vendor links for removal instructions and tools.

	Users should remain aware of the danger of opening unsolicited
	email attachments.


REFERENCES:

	[1] http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41012

	[2] http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=130371

	[3] http://www.f-secure.com/v-descs/zafi_d.shtml

	[4] http://www.sophos.com/virusinfo/analyses/w32zafid.html

	[5] http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D

	[6] http://securityresponse.symantec.com/avcenter/venc/data/w32.erkez.d@mm.htm


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQb+M+Ch9+71yA2DNAQIblQP/ZeNzstT1viiBwjPEE2NaCLyo71vhE28E
Uts7G7s0AsusDTK/Zq+btcOcFKdX586iq1yDkTV+0bhKG3XpuOSyuHokbA8L0N6K
JY5FAbzjqJ1DiqUrreM/kqbAiBXjtg92fBn2vp179mqCUins52tEU1I2I88Ff8W1
pOv9nylXLDg=
=D3uT
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=2998&it=4611