W32/Zafi.D@mm
| W32/Zafi.D@mm |
Destructivity:  Spreading:  Overall risk:
|
| • Detected by virus detection files published: 12/14/2004 | • Type: Worm |
| • Virus characteristics first published: 12/14/2004 | • Spreading mechanism: Email, Other |
| • Virus characteristics latest update: 10/30/2007 | • Overall risk: Low |
| • Alias: Nocard.A@mm, W32/Erkez.D@mm | • Payload: Disables maintenance and security software |
| • Infection type: Microsoft Windows 95/98/98 SE/ME/NT 4/2000/XP/2003/Vista |
| Virus type |
Spreading mechanism |
Destructivity and payload |
Additional descriptions |
Detection and removal |
||||||||||
Email characteristics:
When the worm is first executed, it will display an error message; in the background it will copy itself to the Windows System folder using the name "Norton Update.exe". It will also create several other files. Most of these are connected with the collection of mail addresses from the local machine; one other is an exact copy of the worm, and another is a copy of the worm zipped. These files are given a random name. Registry keys added: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Wxp4= The worm sends itself to email addresses that are harvested from files with the following extensions: htm, The mail is formatted to look like a Christmas greeting card. The language of the mail is determined from the top level domain of the receiving address, and several languages (English, Spanish, Swedish, Norwegian, Hungarian etc) are used. The attachment name is also variable; attachment extension is either .cmd .bat .pif .com or .zip. This worm also spreads itself in another way. If it finds a folder that contains the text "share", "music" or " upload", it will copy itself there using one of the names: winamp 5.7 new!.exe |
||||||||||||||