Aliases: P2P-Worm.Win32.Gedza.b, W32/Refaz.worm, WORM_GEDZA.B, Worm/Gedza.B 
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 25 Feb 2005
Damage: Medium

Characteristics: W32.Refaz is a worm. It propagates through file-sharing networks and network shares. The worm also modifies certain .HTML files on the infected computer. The worm is a slow infector. It causes medium damage and is easy to remove using an up-to-date antivirus program.

More details about W32.Refaz

Once W32.Refaz is executed, it displays a message with the following text: “Title: BETA VERSION” and “Message: Version limited time expired.” After it announces its presence, it copies itself as the following files: winshell.exe, win_3k.exe, Zafer.exe, ForYou.pif, and xradiat.exe. It also creates the following files: C:\url.vxd and C:\Zafer.scr. It creates further copies of itself. The name of the file is chosen by randomly selecting from a list and adding an .exe extension. Some of the names in the list include Spybot 1.3, Ad-Aware 6.0, and WinZip 9. The files are created in folders used by file sharing applications like KaZaa and limewire. It also modifies some files to include a message that has a URL. The URL links a copy of the worm at a location in the infected computer.

The worm also adds the user Zafer to the administrator group and runs the telnet.exe program. It also searches for open network shares on the local network and copies itself as clean_service.cmd to folders on the remote computer. It adds the following lines to autoexec.bat on the remote computer, so that it is executed when Windows starts: @start [path to clean_service.cmd and run=[path to clean_service.cmd]. The W32.Refaz software is spread as another file. The programmer that wrote it may send it via spam messages on e-mail or instant messages. It may also be spread via IRC (Internet Relay Chat). The user may think it is a popular movie or music file on a file-sharing network. It may also be bundled with free software spread on download sites. Other malware programs can also download and install the application. It may also be spread via drive-by-downloads.