Win32.Zafi.b - What is it?

View previous topic View next topic Go down

Win32.Zafi.b - What is it?

Post by Doctor Inferno on 15th January 2009, 10:23 am

I have seen many topics being posted on GeekPolice relating to the removal of Win32.Zafi.b. So I thought that you guys may be curious about what it does etc.




This worm spreads via the Internet as an attachment to infected messages, and also via local and file-sharing networks.

It is written in Assembler, and packed using FSG. It is 12800 bytes in packed form, and 33292 in unpacked form.

Installation
Once launched, the worm copies its file to the Windows system directory. The name of the file is randomly generated.

The worm registers this file as an entry in the system registry to be run every time the system is started:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"_Hazafibb"="%system%\[file name]"
The worm creates the mutex _Hazafibb to flag its presence in the system.

This is to prevent multiple copies of the worm being run at the same time
It stops the following processes and deletes the files from disk:

fvprotect.exe
winlogon.exe
jammer2nd.exe
services.exe


More Info: http://www.viruslist.com/en/viruslist.html?id=1666973


Please be a GeekPolice fan on Facebook!



Have we helped you? Help us! | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32.Zafi.b - What is it?

Post by Sir $wat on 16th January 2009, 11:35 pm

okok... nasty lil sucker..



Sir $wat
Top Dog
Top Dog

Posts Posts : 2078
Joined Joined : 2008-08-16
Gender Gender : Male
OS OS : Windows XP Professional SP3
Protection Protection : Panda Cloud
Points Points : 34181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32.Zafi.b - What is it?

Post by Belahzur on 16th January 2009, 11:41 pm

Hmmm.
I haven't come across the _Haza thing run value yet, the zafi.b and zlob.g are the same, but I've only seen the following run values.

winpipe
winclock
vinclock
wclock
realtekg

Realtekg being the newest I think, they seem to change the name once every week or so.


@RealBelahzur - [Prework] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32.Zafi.b - What is it?

Post by cookies123 on 20th January 2009, 6:02 am

i was just wondering. say you had win32.zafi.b and it deleted:
fvprotect.exe
winlogon.exe
jammer2nd.exe
services.exe
will you need those files for your computer to run properly or how it was before you got the worm?

cookies123
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-01-17
OS OS : Gateway GT4024
Points Points : 28811
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32.Zafi.b - What is it?

Post by Doctor Inferno on 20th January 2009, 8:23 am

@cookies123 wrote:i was just wondering. say you had win32.zafi.b and it deleted:
fvprotect.exe
winlogon.exe
jammer2nd.exe
services.exe
will you need those files for your computer to run properly or how it was before you got the worm?

Those files are created by the malware, therefore it is malicious processes/files. Winlogon.exe is needed by Windows, but it doesn't run from the original file directory, you don't need those files.


Please be a GeekPolice fan on Facebook!



Have we helped you? Help us! | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32.Zafi.b - What is it?

Post by Belahzur on 20th January 2009, 7:07 pm



@RealBelahzur - [Prework] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32.Zafi.b - What is it?

Post by Belahzur on 6th February 2009, 8:57 pm

Three new names:
realtechs
realtecs
realtecss


@RealBelahzur - [Prework] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum