ironia
13-06-2004, 20:31
č probabile che vi vediate sommersi da una marea di spam in perfetto stile brute-force....
REMOVAL TOOL (http://www.bitdefender.com/bd/downloads/removaltools/Antizafi-EN.exe)
Name: Win32.Zafi.B@mm
Aliases: I-Worm.Zafi.B, Win32/Zafi.B worm
Type: Executable Mass Mailer
Size: 12,800 (packed with FSG)
Discovered: 11.06.2004
Detected: 11.06.2004
Spreading: Low
Damage: Medium
In The Wild: Unknown
Symptoms:
- Presence of the next files in %SYSTEM% folder:
files with random names, the name is composed of 8 random letters, files with extension .dll and one with extension .exe
most of the .dll files store e-mail addresses and are rather small in size (around 1 kbytes)
a .dll file and the .exe file are copies of the virus, and have 12,800 bytes each
Regedit, Task Manager, Task Monitor don't work
Presence in memory of a process called "link"
When run, the virus opens Internet Explorer with a recently typed url
- Presence of the next registry keys or entries:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"_Hazafibb"="%SYSTEM%\%random%.exe"]
where %random% is a name formed from 8 random characters
[HKEY_LOCAL_MACHINE\Software\Microsoft\_Hazafibb]
with entries b? c? d?, containing information about the infected computer and the exact names of the exe and dll files; where ? may be any digit or capital letter (eg: b1, bA, cA, etc)
where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems.
Technical description:
The virus arrives via e-mail, in the following formats (for: .hu .sp .ru .dk .ro .se .se .no .fi .lt .pl .pt .de .nl .cz .fr .it)
The From: field is spoofed
Subject: eIngyen SMS!
Body:
------------------------ hirdetés -----------------------------
A sikeres 777sms.hu és az axelero.hu támogatásával újra
indul az ingyenes sms küldő szolgáltatás! Jelenleg ugyan
korlátozott számban, napi 20 ingyen smst lehet felhasználni.
Küldj te is SMST! Nehány kattintás és a mellékelt regisztrációs
lap kitöltése után azonnal igénybevehető! Bővebb információt
a www.777sms.hu oldalon találsz, de siess, mert az első ezer
felhasználó között értékes nyereményeket sorsolunk ki!
------------------------ axelero.hu ---------------------------
Attachment: regiszt.php?3124freesms.index777.pif
Subject: Importante!
Body: Informacion importante que debes conocer, -
Attachment: link.informacion.phpV23.text.message.pif
Subject: E-Kort!
Body: Mit hjerte banker for dig!
Attachment: link.ekort.index.phpV7ab4.kort.pif
Subject: Ecard!
Body: De cand te-am cunoscut inima mea are un nou ritm!
Attachment: link.showcard.index.phpAv23.ritm.pif
Subject: E-vykort!
Body: Till min Alskade...
Attachment: link.vykort.showcard.index.phpBn23.pif
Subject: E-Postkort!
Body: Vakre roser jeg sammenligner med deg...
Attachment: link.postkort.showcard.index.phpAe67.pif
Subject: E-postikorti!
Body: Iloista kesaa!
Attachment: link.postikorti.showcard.index.phpGz42.pif
Subject: Atviruka!
Body: Linksmo gimtadieno!
Attachment: link.atviruka.showcard.index.phpGz42.pif
Subject: E-Kartki!
Body: W Dniu imienin...
Attachment: link.kartki.showcard.index.phpVg42.pif
Subject: Cartoe Virtuais!
Body: Te amo...
Attachment: link.cartoe.viewcard.index.phpYj39.pif
Subject: Flashcard fuer Dich!
Body: Hallo!
hat dir eine elektronische Flashcard geschickt.
Um die Flashcard ansehen zu koennen, benutze in deinem Browser
einfach den nun folgenden link:
http://flashcard.de/interaktiv/viewcards/view.php3?card=267BSwr34
Viel Spass beim Lesen wuenscht Ihnen ihr...
Attachment: link.flashcard.de.viewcard34.php.2672aB.pif
Subject: Er staat een eCard voor u klaar!
Body: Hallo!
heeft u een eCard gestuurd via de website nederlandse
taal in het basisonderwijs...
U kunt de kaart ophalen door de volgende url aan te klikken of te
kopiren in uw browser link:
http://postkaarten.nl/viewcard.show53.index=04abD1
Met vriendelijke groet,
De redactie taalsite primair onderwijs...
Attachment: postkaarten.nl.link.viewcard.index.phpG4a62.pif
Subject: Elektronicka pohlednice!
Body: Ahoj!
Elektronick pohlednice ze serveru http://www.seznam.cz
Attachment: link.seznam.cz.pohlednice.index.php2Avf3.pif
Subject: E-carte!
Body: vous a envoye une E-carte partir du site zdnet.fr
Vous la trouverez, l'adresse suivante link:
http://zdnet.fr/showcard.index.php34bs42
www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web
en 5 minutes, du dialogue en direct...
Attachment: link.zdnet.fr.ecarte.index.php34b31.pif
Subject: Ti e stata inviata una Cartolina Virtuale!
Body: Ciao!
ha visitato il nostro sito, cartolina.it e ha creato una
cartolina virtuale per te! Per vederla devi fare click
sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a
Attenzione, la cartolina sara visibile sui nostri server per
2 giorni e poi verra rimossa automaticamente.
Attachment: link.cartoline.it.viewcard.index.4g345a.pif
Subject: You`ve got 1 VoiceMessage!
Body: Dear Customer!
You`ve got 1 VoiceMessage from voicemessage.com website!
Sender:
You can listen your Virtual VoiceMessage at the following link:
http://virt.voicemessage.com/index.listen.php2=35affv
or by clicking the attached link.
Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).
Attachment: link.voicemessage.com.listen.index.php1Ab2c.pif
Subject: Tessek mosolyogni!!!
Body: Ha ez a kép sem tud felviditani, akkor feladom!
Sok puszi:
Attachment: meztelen csajok fociznak.flash.jpg.pif
Subject: Soxor Csok!
Body: Szia!
Aranyos vagy, jó volt dumcsizni veled a neten!
Remélem tetszem, és szeretném ha te is küldenél képet
magadról, addig is csók:
Attachment: anita.image043.jpg.pif
Subject: Don`t worry, be happy!
Body: Hi Honey!
I`m in hurry, but i still love ya...
(as you can see on the picture)
Bye - Bye:
Attachment: www.ecard.com.funny.picture.index.nude.php356.pif
Subject: Check this out kid!!!
Body: Send me back bro, when you`ll be done...(if you know what i mean...)
See ya,
Attachment: jennifer the wild girl xxx07.jpg.pif
Once the attachment has been executed, the virus will do the following:
1. Creates mutex _Hazafibb
2. Prevents execution of the processes containing: regedit, msconfig, task, (eg: regedit, taskman, taskmon, mstask, msconfig)
3. Deletes the following files from Windows folder: fvprotect.exe winlogon.exe services.exe jammer2nd.exe
4. Checks if the computer is connected to the internet by attempting to contact google.com or microsoft.com
5. Searches for e-mail addresses in files matching: htm,wab,txt,dbx,tbb,asp,php,sht,adb,mbx,eml,pmr
6. Avoids e-mail addresses containing: win,use,info,help,admi,webm,micro,msn,hotm,suppor,syma,vir,trend,panda,yaho,cafee,sopho,google,kasper,msn,office,nero,icq,game,winra,winzi,divx,movie,total,wina
7. Stores found e-mail addresses in random named dll files in %SYSTEM% folder
8. Creates registry key and entries:
[HKEY_LOCAL_MACHINE\Software\Microsoft\_Hazafibb]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"_Hazafibb"="%SYSTEM%\%random%.exe"]
9. Uses it's own SMTP engine to send itself to harvested e-mails. Attempts to obtain a smtp server address by adding smtp. or mx. etc to the domain from the harvested address or uses a default smtp address.
10. Creates copies of the virus in folders containing "share" or "upload" as winamp 7.0 full_install.exe and/or Total Commander 7.0 full_install.exe
11. Creates a thread that attempts to flood: www.parlament.hu, www.virusbuster.hu, www.virushirado.hu, www.2f.hu
12. May create files C:\SYS.TXT and _upload.exe
13. The virus contains the following string:
A hajlektalanok elhelyezeset, a bunteto torvenyek szigoritasat, es a HALALBUNTETES MEGSZAVAZASAT koveteljuk a kormanytol, a novekvo bunozes ellen!2004, jun, Pecs,(SNAF Team).
REMOVAL TOOL (http://www.bitdefender.com/bd/downloads/removaltools/Antizafi-EN.exe)
Name: Win32.Zafi.B@mm
Aliases: I-Worm.Zafi.B, Win32/Zafi.B worm
Type: Executable Mass Mailer
Size: 12,800 (packed with FSG)
Discovered: 11.06.2004
Detected: 11.06.2004
Spreading: Low
Damage: Medium
In The Wild: Unknown
Symptoms:
- Presence of the next files in %SYSTEM% folder:
files with random names, the name is composed of 8 random letters, files with extension .dll and one with extension .exe
most of the .dll files store e-mail addresses and are rather small in size (around 1 kbytes)
a .dll file and the .exe file are copies of the virus, and have 12,800 bytes each
Regedit, Task Manager, Task Monitor don't work
Presence in memory of a process called "link"
When run, the virus opens Internet Explorer with a recently typed url
- Presence of the next registry keys or entries:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"_Hazafibb"="%SYSTEM%\%random%.exe"]
where %random% is a name formed from 8 random characters
[HKEY_LOCAL_MACHINE\Software\Microsoft\_Hazafibb]
with entries b? c? d?, containing information about the infected computer and the exact names of the exe and dll files; where ? may be any digit or capital letter (eg: b1, bA, cA, etc)
where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems.
Technical description:
The virus arrives via e-mail, in the following formats (for: .hu .sp .ru .dk .ro .se .se .no .fi .lt .pl .pt .de .nl .cz .fr .it)
The From: field is spoofed
Subject: eIngyen SMS!
Body:
------------------------ hirdetés -----------------------------
A sikeres 777sms.hu és az axelero.hu támogatásával újra
indul az ingyenes sms küldő szolgáltatás! Jelenleg ugyan
korlátozott számban, napi 20 ingyen smst lehet felhasználni.
Küldj te is SMST! Nehány kattintás és a mellékelt regisztrációs
lap kitöltése után azonnal igénybevehető! Bővebb információt
a www.777sms.hu oldalon találsz, de siess, mert az első ezer
felhasználó között értékes nyereményeket sorsolunk ki!
------------------------ axelero.hu ---------------------------
Attachment: regiszt.php?3124freesms.index777.pif
Subject: Importante!
Body: Informacion importante que debes conocer, -
Attachment: link.informacion.phpV23.text.message.pif
Subject: E-Kort!
Body: Mit hjerte banker for dig!
Attachment: link.ekort.index.phpV7ab4.kort.pif
Subject: Ecard!
Body: De cand te-am cunoscut inima mea are un nou ritm!
Attachment: link.showcard.index.phpAv23.ritm.pif
Subject: E-vykort!
Body: Till min Alskade...
Attachment: link.vykort.showcard.index.phpBn23.pif
Subject: E-Postkort!
Body: Vakre roser jeg sammenligner med deg...
Attachment: link.postkort.showcard.index.phpAe67.pif
Subject: E-postikorti!
Body: Iloista kesaa!
Attachment: link.postikorti.showcard.index.phpGz42.pif
Subject: Atviruka!
Body: Linksmo gimtadieno!
Attachment: link.atviruka.showcard.index.phpGz42.pif
Subject: E-Kartki!
Body: W Dniu imienin...
Attachment: link.kartki.showcard.index.phpVg42.pif
Subject: Cartoe Virtuais!
Body: Te amo...
Attachment: link.cartoe.viewcard.index.phpYj39.pif
Subject: Flashcard fuer Dich!
Body: Hallo!
hat dir eine elektronische Flashcard geschickt.
Um die Flashcard ansehen zu koennen, benutze in deinem Browser
einfach den nun folgenden link:
http://flashcard.de/interaktiv/viewcards/view.php3?card=267BSwr34
Viel Spass beim Lesen wuenscht Ihnen ihr...
Attachment: link.flashcard.de.viewcard34.php.2672aB.pif
Subject: Er staat een eCard voor u klaar!
Body: Hallo!
heeft u een eCard gestuurd via de website nederlandse
taal in het basisonderwijs...
U kunt de kaart ophalen door de volgende url aan te klikken of te
kopiren in uw browser link:
http://postkaarten.nl/viewcard.show53.index=04abD1
Met vriendelijke groet,
De redactie taalsite primair onderwijs...
Attachment: postkaarten.nl.link.viewcard.index.phpG4a62.pif
Subject: Elektronicka pohlednice!
Body: Ahoj!
Elektronick pohlednice ze serveru http://www.seznam.cz
Attachment: link.seznam.cz.pohlednice.index.php2Avf3.pif
Subject: E-carte!
Body: vous a envoye une E-carte partir du site zdnet.fr
Vous la trouverez, l'adresse suivante link:
http://zdnet.fr/showcard.index.php34bs42
www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web
en 5 minutes, du dialogue en direct...
Attachment: link.zdnet.fr.ecarte.index.php34b31.pif
Subject: Ti e stata inviata una Cartolina Virtuale!
Body: Ciao!
ha visitato il nostro sito, cartolina.it e ha creato una
cartolina virtuale per te! Per vederla devi fare click
sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a
Attenzione, la cartolina sara visibile sui nostri server per
2 giorni e poi verra rimossa automaticamente.
Attachment: link.cartoline.it.viewcard.index.4g345a.pif
Subject: You`ve got 1 VoiceMessage!
Body: Dear Customer!
You`ve got 1 VoiceMessage from voicemessage.com website!
Sender:
You can listen your Virtual VoiceMessage at the following link:
http://virt.voicemessage.com/index.listen.php2=35affv
or by clicking the attached link.
Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).
Attachment: link.voicemessage.com.listen.index.php1Ab2c.pif
Subject: Tessek mosolyogni!!!
Body: Ha ez a kép sem tud felviditani, akkor feladom!
Sok puszi:
Attachment: meztelen csajok fociznak.flash.jpg.pif
Subject: Soxor Csok!
Body: Szia!
Aranyos vagy, jó volt dumcsizni veled a neten!
Remélem tetszem, és szeretném ha te is küldenél képet
magadról, addig is csók:
Attachment: anita.image043.jpg.pif
Subject: Don`t worry, be happy!
Body: Hi Honey!
I`m in hurry, but i still love ya...
(as you can see on the picture)
Bye - Bye:
Attachment: www.ecard.com.funny.picture.index.nude.php356.pif
Subject: Check this out kid!!!
Body: Send me back bro, when you`ll be done...(if you know what i mean...)
See ya,
Attachment: jennifer the wild girl xxx07.jpg.pif
Once the attachment has been executed, the virus will do the following:
1. Creates mutex _Hazafibb
2. Prevents execution of the processes containing: regedit, msconfig, task, (eg: regedit, taskman, taskmon, mstask, msconfig)
3. Deletes the following files from Windows folder: fvprotect.exe winlogon.exe services.exe jammer2nd.exe
4. Checks if the computer is connected to the internet by attempting to contact google.com or microsoft.com
5. Searches for e-mail addresses in files matching: htm,wab,txt,dbx,tbb,asp,php,sht,adb,mbx,eml,pmr
6. Avoids e-mail addresses containing: win,use,info,help,admi,webm,micro,msn,hotm,suppor,syma,vir,trend,panda,yaho,cafee,sopho,google,kasper,msn,office,nero,icq,game,winra,winzi,divx,movie,total,wina
7. Stores found e-mail addresses in random named dll files in %SYSTEM% folder
8. Creates registry key and entries:
[HKEY_LOCAL_MACHINE\Software\Microsoft\_Hazafibb]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"_Hazafibb"="%SYSTEM%\%random%.exe"]
9. Uses it's own SMTP engine to send itself to harvested e-mails. Attempts to obtain a smtp server address by adding smtp. or mx. etc to the domain from the harvested address or uses a default smtp address.
10. Creates copies of the virus in folders containing "share" or "upload" as winamp 7.0 full_install.exe and/or Total Commander 7.0 full_install.exe
11. Creates a thread that attempts to flood: www.parlament.hu, www.virusbuster.hu, www.virushirado.hu, www.2f.hu
12. May create files C:\SYS.TXT and _upload.exe
13. The virus contains the following string:
A hajlektalanok elhelyezeset, a bunteto torvenyek szigoritasat, es a HALALBUNTETES MEGSZAVAZASAT koveteljuk a kormanytol, a novekvo bunozes ellen!2004, jun, Pecs,(SNAF Team).