The Zafi.d e-mail worm, which can also be spread through shared folders, launches mass mailings. Here's how it works and how to eradicate it.
By Robert Vamosi
An e-mail worm from Hungary is spreading false holiday cheer worldwide. Zafi.d (w32.zafi.d@mm, also known as Erkez on Symantec) is 11,745 bytes in size, with about 30KB of assembly code. It can also spread by shared network folders. Zafi.d attempts to shut down antivirus and firewall defenses on an infected computer and will open a port for remote computer access. Zafi.d does not affect Mac OS, Linux, or Unix systems. Because this worm spreads via e-mail and exposes your computer to remote access, this worm rates a 6 on the CNET/ZDNet Virus Meter.
How it works
Zafi.d arrives as e-mail, possibly from someone you know, with information similar to the following:
Subject: Re: Merry Christmas!
Message body: Happy Hollydays! :) Pamela M.
In addition to English, the message may also be in Hungarian, Spanish, Finnish, Swedish, Russian, and several other languages.
If the attached file is opened, the following will be added to the System Registry on the infected computer:
Wxp4 = "%System%\Norton Update.exe"
If the infected computer uses shared file folders, as on a network, Zafi will create a memory-resident mass-mailing worm with the name NortonUpdate.exe in those shared folders. Zafi.d also disables any antivirus and firewall protection the infected computer may have. To further frustrate its victims, Zafi will also "lock" several Windows tools, such as Task Manager and Registry Editor, to prevent manual removal of the infection. The worm has a back door that listens on port 8181.
Several antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.