[email protected]

Aliases: Win32.Zafi.D, Zafi.D, Email-Worm.Win32.Zafi.d, W32/[email protected], W32/Zafi.D.worm
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Slow
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: Easy
Platform: W32
Discovered: 14 Dec 2004
Damage: Medium

Characteristics: [email protected] is another worm classified under a series of mass-mailing worms that infects and spreads through using SMTP engine and automatically sending emails from the compromised computer’s contacts. It attacks and infects all of the Windows Operating System platforms. This worm allegedly hides itself and its infection routine from the user of the compromised computer.

More details about [email protected]

This worm has backdoor ability that is further exploited by continuously copying itself without user awareness or consent. It also terminates processes with the following strings in their name: “reged,”msconfig” and “task.”Once it is present, this computer worm invades, steals, and collects email contact addresses. Then, the infection goes on by sending infected emails to all the contacts. It connects to the microsoft.com domain to send its emails. Then, it opens a backdoor on TCP port 8181 and listens for commands from a remote attacker. It retrieves email addresses from the Windows Address Book and from files with the extensions such as “.htm, .wab, .txt, .dbx, .tbb, .asp, .php, .sht, .adb, .mbx, .eml, .pmr, .fpt and .inb. It also sends email messages stating in the heading, “From: (Spoofed),Subject:“Merry Christmas!, boldog karacsony...Feliz Navidad! ecard.ru Christmas Kort! Christmas Vykort! Christmas Postkort! Christmas postikorti! Christmas - Kartki! Weihnachten card. Prettige Kerstdagen! Christmas pohlednice Joyeux Noel! and or Buon Natale!” These are malicious email that should not be opened. All executable, system registry and opened files are also at risk of being infected by this worm because the worm has the ability to overwrite certain executable files.

There were reports that this malware program may be downloaded from the Internet by visiting unsolicited sites with random pop-ups. There is also a possibility of this malware program infecting the machine when certain adware variants drop it on the user’s system. According to expert users, this malicious program has the capability to modify Windows Registry values to support its basic routines. It is highly probable for the program to infect a single file and integrate it to the Registry to run during Windows Startup. Some entries may also be modified to allow the malware to hijack some functions in the computer system. Examples of such include the ability to run in the background to avoid detection, no active process in Windows Task Manager, and the like.