W32/Zafi.F is a mass mailing worm. This worm is a variant of W32/Zafi.B. The worm will infect Windows systems and spreads through email.

The infected email 'From' address will be any one of the following;

R. Antonio
Szalai Bernadett
H. Maria
M. Christina
B. Martin
D. Alexej
H. Andersson
N. Fernandez
R. Cornel

The subject of the infected mail will be any one of the following;

witzig reklame :)),witzig bild :D
blague :)),humour - reclame :))
humor.ru,:D
legszexibb megasztar foto!,szavazz ra te is!
broma :)),humor :))
grappig beeld :)),een grappig reclame :D
msn photo ecard,commercial ecard :))
rolig reklam :)),haha - rolig :))
scherzo :)),comico quadro :))
rolig reklam :)),haha - rolig :))

The body of the infected mail will be any one of the following;

funny
=D0=BE=D1=82=D0=BA=D1=80=D1=8B=D1=82=D0=BA=D0=B0 =D1=81 =
=D0=B2=D0=B8=D0=B4=D0=BE=D0=BC:
=D0=BF=D0=BE
=D0=B2=D0=B5=D0=BB=D0=B8=D1=87=D0=B8=D0=BD=D0=B5:
=D0=BF=D0=BE=D1=81=D0=BB=D0=B0=D0=BD=D0=B8=D0=B5:
=D0=BE=D1=82=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D1=82=D0=B5=D0=BB=D1=8C:
=D0=BE=D1=82=D0=BE=D0=B1=D1=80=D0=B0=D0=B6=D0=B5=D0=BD=D0=B8=D0=B5 =
=D0=B4=D0=B0=D1=82=D1=8B:
=D0=BA=D0=BE=D0=BD=D1=82=D1=80=D0=BE=D0=BB=D0=B5=D1=80:
=D0=B8=D0=BC=D1=8F
=D1=84=D0=B0=D0=B9=D0=BB=D0=B0:
=D0=B7=D0=B0=D0=B3=D1=80=D1=83=D0=B6=D0=B0=D0=
B5=D0=BC=D1=8B=D0=B9

reklam
Bildform:
Bild/Omfattning:
Meddelande:
rolig reklam!! :))
Post:
Datum:
Control:
Filenamn:
ladda ner

reclame
Beeldformaat:
Beeldmaat:
een ontroerend of grappig reclame :))
Afzender:
Datum:
Controle:
Filenaam:
downloadde

reclame
Image/Mode:
Image/Taille:
Message:
le sexe d'une femme apres l'amour (humour, r=E9clame) :))
Expediteur:
Date:
V=E9rification:
Filenom:
t=E9l=E9charger

commercial
ImageFormat:
ImageSize:
Message:
you need to see this :))
From:
Date:
Control:
Filename:
download
fotoimagpictdscnx-zip-compressed;
messenger
photo

megasztar
K=E9pForm=E1tum:
K=E9pM=E9ret:
=DCzenet:
itt a kedvenc megaszt=E1ros k=E9pem :))
Felad=F3:
D=E1tum:
Ellen=F4rz=E9s:
Filen=E9v:
let=F6lt=E9s

humor
Cuadro/Format:
Cuadro/Medida:
Mensaje:
Sexo y humor para pasar un buen rato! :))
Expedidor:
Data:
Control:
Nombre del cuadro:
descarga

The infected attachment will have random string followed by any one of the following extension.

bat, com, cmd, zip or pif

Upon execution of the infected attachment, the worm displays a message box with the following message.

Image format error!

It copies itself as Antivirus Update.exe in the Windows System folder.

It modifies the Windows registry at the following locations to load itself during next startup;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

To propagate itself, the worm scans the files with the following extensions and collects all the available email addresses from the infected system.

adb, asp, dbx, eml, wab, fpt, mbx, php, htm, inb, pmr, sht, tbb, sht and txt

This worm performs denial of service attack to some websites.

This worm first appeared on October 11, 2005.

 Other names of W32/Zafi.F Worm:

This Worm is also known as WORM_ZAFI.F.