Select category

Step by step fighting with W32/[email protected] worm.
Article published on January, 2005.

W32/[email protected] also known as: Email-Worm.Win32.Zafi.d, [email protected], [email protected], W32/Zafi-D, WORM_ZAFI.D.

This worm spreads through e-mail. This worm does not use any exploit code in order to execute the mail attachment automatically. A user has to doubleclick on an infected attachment. It displays a fake error message upon executing. This worm drops the following files into system32 directory: .EXE, Norton Update.EXE, .DLL, s.CM.

Also it creates registry key. Port 8181 is open on the infected system.

To remove this worm follow these steps:

1. DIsable System Restore if you are Windows XP or Windows Me user.

2. Restart computer in safe mode.

3. Delete Norton Update.EXE from system32 folder.

4. Remove registry keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wxp4" and "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows \CurrentVersion\Run".

5. Download latest updates for your antivirus software and scan hard drive.

Friendly websites

Support us and join our new forum. Help us to create community!