This virus removal tool was designed to help users disinfect their computers when infected with I-Worm.Zafi.B,D.
The worm sends messages in different languages. For this purpose, it checks the domain extension of the email address.
To activate the worm when Windows starts, it enters the created .exe file in the Registry. For this purpose, it creates a value with the name _Hazafibb" in the following Registry key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
To prevent, that more than one instance of the worm is running, it creates a mutex with the name _Hazafibb".
Creates the Registry key:
HKLMSoftwareMicrosoft_Hazafibb
Terminates processes containing one of the following strings:
msconfig
regedit
task
Tries to overwrite .exe files of known security programs, with its own code.
Performs a DoS attack against the following domains:
www.2f.hu
www.parlament.hu
www.virusbuster.hu
www.virushirado.hu
Tries to distribute using file sharing networks. For this purpose, the worm copies itself to all folders, containing the strings share" or upload" in their name. For this purpose, the worm uses the following file names:
Total Commander 7.0 full_install.exe
winamp 7.0 full_install.exe
To distribute by email, the worm gathers email addresses, from files with the following file extensions:
.adb
.asp
.dbx
.eml
.htm
.mbx
.php
.pmr
.sht
.tbb
.txt
.wab
Don't gathers addresses, containing one of the following strings:
admi
cafee
google
help
hotm
info
kasper
micro
msn
panda
sopho
suppor
syma
trend
use
vir
webm
win
yaho
Sends multilingual messages to the gathered addresses.
Find us on Google+
