|Type||Mass mailer worm|
|Creator||The SNAF Team|
|Place of Origin||Pecs, Hungary|
|File Type(s)||.exe, .scr, dll*|
|Infection Length||11,776 bytes|
Hazafi, also known as Zafi or Erkez is an email worm from Hungary. Its original variant and some subsequent variants contained a political message complaining about corruption, and making suggestions about how the Hungarian government could change for the better.
Zafi arrives in an email message with a spoofed sender line of email@example.com. The subject is "kepeslap erkezett!" (Hungarian for "postcard arrived"). The text body contains some spelling errors (or it is possibly in a different dialect), mostly changing the letter E with an Ó:
Tisztelt felhasználó! Önnek kópeslapja órkezett! A kópeslap feladója: A lapot az alábbi cimen tudja megtekinteni: http//matav.hu/viewcard/index=psp4uo5683535GSb0123fhhf578840f0623cv2 vagy a mellókelt internetlink kattintásával. Üdvözlettel: Matav e-card! http//www.netezz.matav.hu/
This translates to:
Dear user! You received a postcard! The postcard is from: You can view the page at the following address: http//matav.hu/viewcard/index=psp4uo5683535GSb0123fhhf578840f0623cv2 or clicking the link attached. Sincerely: Matav e-card! http//www.netezz.matav.hu/
When executed, Hazafi checks if the month is April, and will only continue if that is so. The worm drops a copy of itself in the system folder with a name consisting of 8 random characters and an .exe extension. It creates a new local machine registry under \SOFTWARE\Microsoft named Hazafi, where it stores its configuration information. It also creates a local machine run key for itself with its file name in the system folder as a value so it will run every time the machine is started.
Hazafi queries google.com for an Internet connection. The worm also attempts to end several security processes, along with some others that might help the user find out what is happening to the computer and fix it. The worm searches for email addresses to send a copy of itself to in severl types of files, including email files, .html files, text and some source codes. It will ignore email addresses for Microsoft, Hotmail as well as some security companies. The worm also generates email addresses from random characters.
The worm selects a random URL from the Internet Explorer history folder and opens the browser to visit that site. If the date is May 1st, it displays a message box with Hungarian text.
A rough translation of this text is:
People! Hundreds of thousands of Hungarians, a million people who live from day to day are dying of hunger, thirst, and poverty in our country! While many villains in Parliament steal millions, they ignore them. They raise their salaries, while deducting from social justice and waste more money on Formula 1, while homeless are dying on our streets every day, and hospital patients are suffering without NECESSARY instruments. Do you not see this?? Are there no true Hungarians who does not have corrupt interests, who are also not guilty of favoritism! It is not enough to want, and speak beautiful words, but to take action for everyone - everyone! == PATRIOT == / Pecs, 2004, (SNAF Team) /
Hazafi.B's email message will come in Spanish, Dutch, Romanian, Swedish, Norwegian, Finnish, Lithuanian, Polish, Portuguese, German, French, Czech, Italian, Hungarian or English, usually getting the user to open an alleged E-card. It will use microsoft.com in addition to google.com to check for an active Internet connection. This variant can also use peer-to-peer file sharing networks to spread, copying itself to shared folders as either as either "WINAMP 7.0 FULL_INSTALL.EXE" or "TOTAL COMMANDER 7.0 FULL_INSTALL.EXE". It also has a political message in Hungarian:
A hajlektalanok elhelyezeset, a bunteto torvenyek szigoritasat, es a HALALBUNTETES MEGSZAVAZASAT koveteljuk a kormanytol, a novekvo bunozes ellen! 2004, jun, Pecs,(SNAF Team).
The English translation is:
We demand that the government accommodates the homeless, tightens up the penal code and VOTES FOR THE DEATH PENALTY to cut down the increasing crime. Jun. 2004, Pécs (SNAF Team)
Hazafi.D carries a Christmas message and tries to pass itself off as a Christmas E-Card.
Since the original Hazafi was programmed to work only in April and only sent itself to email addresses ending in .hu, its subsequent variants were much more prevalent. A Hazafi variant topped the virus/worm charts of 2004 July. Hazafi.B represented 60% of all reports sent to Sophos on one particular day in late spring of 2004.
As of early 2007, Hazafi.B was still on the charts and topping them. Hazafi.D was on the Wildlist until August of 2009.
Name and Origin
The word Hazafi is Hungarian for Patriot. Antivirus companies refer to it by the name "Zafi", or a bit less commonly, "Erkez". It is unclear whether Hazafi is the intended name of the worm or if it is actually the handle of the person who coded it. Little information is available about the SNAF Team that created the worm, or if they did anything besides Hazafi.
The original variant was obviously carrying a political protest message. At the time, Hungary was under the leadership of socialist Péter Medgyessy, who increased the wages of civil servants by 50% and increased allowances for university students and pensioners (the pensioners received a one-time supplement). This was viewed as irresponsible by some who were concerned it would drain the budget and funding from other areas. Hungary also holds a Formula 1 race, which the government probably spends money on.
The creator of the worm may have also been a Eurosceptic. It was released very shortly before Hungary joined the European Union. In addition, the coder encourages adoption of the death sentence in the message displayed by Hazafi.B, which would disqualify Hungary for EU membership.
This worm actually precedes statements made in an MSZP (Hungarian Socialist Party) meeting that were leaked to the public where the prime minister who succeeded Medgyessy said "we have obviously been lying for the last one and a half to two years.", resulting in riots.
Paul Mangan. Symantec, W32.Erkez.A@mm. 2007.03.12
Sophos Antivirus, W32/Zafi-B.
ElectrivNews.net, The Register, Zafi-b speaks in many tongues. 2004.06.15
Claire Woffenden. WebUser, Virus numbers on the rise. 2004.08.03
Maxim Kelly, ElectricNews.net. The Register, Act of God hampers spam. 2007.02.05
The Wildlist, PC Viruses In-the-Wild - August, 2009.