SysAdminGear

Download Win32/Zafi.B / W32.Erkez.B Removal Tool

Win32/Zafi.B / W32.Erkez.B Critical Worm Information

Win32/Zafi.B is a worm spreading via e-mail and P2P networks. The worm is attached in the attachment of the e-mail message. Upon activation Win32/Zafi.B copies itself into the %system% directory with a random name and the extension .exe. In the same directory it creates the new file with a random name and extension .dll. The worm uses this file as a store for collected e-mail addresses used for further spreading.

The worm changes the following system Registries to ensure starting on the following system start up:

HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftWindows\CurrentVersion\Run
It creates a new key named _Hazafibb.

The worm also creates the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\_Hazafibb

Win32/Zafi.B / W32.Erkez.B searches the hard disk for folders named "share" and "upload" and copies itself into them using one of the following names:
Total Commander 7.0 full_install.exe
winamp 7.0 full_install.exe

It also terminates all the process that containing "firewall" and "virus" in the name and blocks starting of the following utilities: Regedit, Msconfig and Task