Security

Zafi.d prevention and cure

The Zafi.d e-mail worm, which can also be spread through shared folders, launches mass mailings. Here's how it works and how to eradicate it.

By Robert Vamosi
CNET Reviews

An e-mail worm from Hungary is spreading false holiday cheer worldwide. Zafi.d (w32.zafi.d@mm, also known as Erkez on Symantec) is 11,745 bytes in size, with about 30KB of assembly code. It can also spread by shared network folders. Zafi.d attempts to shut down antivirus and firewall defenses on an infected computer and will open a port for remote computer access. Zafi.d does not affect Mac OS, Linux, or Unix systems. Because this worm spreads via e-mail and exposes your computer to remote access, this worm rates a 6 on the CNET/ZDNet Virus Meter.

How it works
Zafi.d arrives as e-mail, possibly from someone you know, with information similar to the following:

Subject: Re: Merry Christmas!
Message body: Happy Hollydays! :) Pamela M.
Attachment: postcard.index.php1111.pif

In addition to English, the message may also be in Hungarian, Spanish, Finnish, Swedish, Russian, and several other languages.

If the attached file is opened, the following will be added to the System Registry on the infected computer:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Wxp4 = "%System%\Norton Update.exe"

If the infected computer uses shared file folders, as on a network, Zafi will create a memory-resident mass-mailing worm with the name NortonUpdate.exe in those shared folders. Zafi.d also disables any antivirus and firewall protection the infected computer may have. To further frustrate its victims, Zafi will also "lock" several Windows tools, such as Task Manager and Registry Editor, to prevent manual removal of the infection. The worm has a back door that listens on port 8181.

Removal
Several antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.

Editor's Picks

Free Newsletters, In your Inbox