W32/Zafi.A@mm

Analysis

Variants added to detection in v4.557 AV db update

Specifics
This 32-bit virus has a packed file size of 11,776. The virus is coded to send itself to email addresses which contain the suffix ".hu" [country code for Hungary].

Loading At Windows Startup
If virus is run, it will write itself to the System32 folder as randomly named EXE file such as "xpjzolns.exe" and register itself to run at each Windows startup, as in this example -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"zciojhxq" = C:\WINNT\System32\xpjzolns.exe K2
Email Spreading Routine
The virus will search the hard drive looking for email addresses - the virus selects only email addresses which have the suffix ".hu", limiting spreading to Hungarian domains. The virus stores emails found into randomly named .DLL files in the System32 folder.

The virus will create an email with static details and file attachment name, then send itself using its own built in SMTP code. Attachments will have this name -

"link.matav.hu.viewcard.index42ADR4502HHJeTYWYJDF334GSDEv25546.com"

Recommended Action

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  
• Using the FortiGate manager, enable blocking of .COM files via SMTP, POP3 and IMAP services