When sent via email, the worm composes its message using the language signified by the top level domain of the intended recipient. For example, those with a .COM domain will be sent an English version, those with a .DE domain will be sent a German version, etc. The message body and text vary. The attachment will have either a .pif file, .com, or .exe extension. The attachment name may be disguised to appear as if it is a link to a website.
In order to spread via shared folders and Peer-to-Peer (P2P) networks, Zafi.B copies itself as 'winamp 7.0 full_install.exe' and 'Total Commander 7.0 full_install.exe'.
When the Zafi.b worm is executed, it copies itself to the Windows System directory as both a .dll and an .exe. Filenames are random. Zafi.B modifies the System Registry, adding the value _Hazafibb to the HKLM\..\Run key to load the worm when Windows is started.
Zafi.b harvests email addresses from a range of file types found on the infected user's system and creates additional .dll files in the Windows System folder that contain these collected email addresses.
