Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


NORTON UPDATE.EXE PROCESS INFORMATION

Process Name  : Norton Update.exe

Process Path : %System%\Norton Update.exe" [ C:\Windows\System32\Norton Update.exe ]

Process type    : Internet Worm

Malware Name : W32.Zafi.D@mm

Alias             : I-Worm.Zafi.D, W32/Zafi-D, WORM_ZAFI.D, Zafi.D, W32.Erkez.D@mm

Threat level : Medium

Process Details :

                     Norton Update.exe is dropped by Zafi.D aka Erkez.D. It is a mass mailing worm uses e-mail addresses collected from the Windows address book to distribute infected mails. When user opens the e-mail attachment, it displays the fake message box "Error in packed file!" with title CRC: 04F7Bh.

                     Zafi arrives as an e-mail attachment with random message subject and message body. The infected mail message body is chosen from English, Italian, Spanish, Russian, etc. The worm checks the domain name and selects the language of the infected mail. If the domain name ends with .it, Zafi.D will send the infected mail in Italian.

Zafi.D infected mail subject will be one of the following

Merry Christmas!
Buon Natale!
Joyeux Noel!
Christmas pohlednice
Prettige Kerstdagen!
Weihnachen card.
Christmas - Kertki!
Christmas - Atviruka!
Christmas postikorti!
Christmas Postkort!
Christmas Vykort!
Christmas Kort!
ecard.ru
Feliz Navidad!
boldog karacsony...

The infected mail sample is given below.

                     When the infected e-mail attachment is executed, it copies itself to Windows system folder as "Norton Update.exe". It also drops a dll with random file extension. Then it modifies the registry to load automatically on next startup. The registry key modification is given below.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Wxp4 = "%System%\Norton Update.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Wxp4

                     Zafi.D searches C to Z drives and copies itself to folders containing the string "share" or "upload". This string search allows the worm to spread using file sharing networks like KaZaA and imesh. The dropped file names will be winamp 5.7 new!.exe and ICQ 2005a new!.exe .

                     Zafi.D worm overwrites executable files including antivirus programs in the infected system. Zafi.D contains backdoor ability. Also it will not allow regedit, msconfig and task manager process. Zafi.D worm appeared on 14th December 2004.

How can I protect my system?

                   Solo has incorporated detection to Norton Update.exe in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this worm?

                   If you are already infected Norton Update.exe process, you can remove it from your computer using Solo Antivirus software. Solo antivirus can detect and remove W32.Zafi.D@mm aka W32.Erkez.D@mm worm safely. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VBS, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link