Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


My .doc Are Now .scr! (w32/zaflen.a)

  • Please log in to reply
2 replies to this topic

#1 gigamosh57


  • Members
  • 2 posts
  • Local time:05:40 PM

Posted 09 July 2007 - 04:46 AM

Using an internet cafe here in the Philippines I found, when trying to open a .doc file and print it, that all my .doc files had been relabelled as .scr files and all .jpg had become .exe.

Doing a bit of research and finding other things on the computer that should not be there, I came up with this virus as the root cause: W32/Zaflen.a

I have been able to edit the extensions of many of the files and return them to their proper formats, but the problem I am having now is that many of the files will no longer open... Word (and Openoffice too, for all you M$ haters) gives me an error that it cannot interpret the file and shows me the binary equivalent of a big pile of diarrhea.

Symptoms -

Changing of the file icon for the file types - png, jpg, gif to M.S.Word icon.

Increase in file size by 172067 bytes for the infected files.

Presence of the files and registry entries mentioned.

I can fix symptoms 1 and 3, but not 2 and AVG just wants to delete the file as a method of "Healing" it.

How do I: Find what malicious code is embedded in the file and remove it?

I know a large number of people with the same virus, so a fix would be saintly. If you know anything about this, including what to look for that is out of the ordinary in hex code for word, jpeg, rtf, gif or png files, PLEASE HELP!

Edited by gigamosh57, 09 July 2007 - 04:46 AM.

BC AdBot (Login to Remove)


#2 buddy215


  • Moderator
  • 13,504 posts
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:40 AM

Posted 09 July 2007 - 06:14 AM

I suggest you post a Hijack This log in the Hijack This forum. Follow the directions in the link below.

Harry Waldron - Microsoft MVP Blog
Security News and Best Practices
W32/Zaflen.a - Infects DOC, RTF, JPG, GIF, and PNG files
Users should be careful with any of these files found in email (or potentially posted in an untrusted website). Most likely the virus is an EXE and prepends to each infected damaging dozens or even hundreds of files that may be on the hard drive. Please be careful with all attachments and stay up-to-date on AV protection. McAfee, Microsoft, Kapersky, Sanda, Sophos, and others have protection now.

W32/Zaflen.a - Infects DOC, RTF, JPG, GIF, and PNG files

QUOTE: This detection is for a parasitic file infector, which infects the files with extensions "doc, rtf, jpg, gif and png" by prepending itself to these files. This also uses a mass mailing component for spreading via e-mail. It searches all drives for these file types and changes the icon of the infected files to M.S.Word icon and the extension to scr or exe. It also appends 35 bytes to the end of file along with the extension of the original file.

Aliases: Worm.Win32.VB.gr (Kaspersky) Worm:Win32/Zaflen.A@mm (Microsoft) W32.SillyFDC (Symantec) W32/Nedro.C.worm (Panda) W32/Lovelet-AD (Sophos)

Published Jun 21 2007, 01:31 AM by harry
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 gigamosh57

  • Topic Starter

  • Members
  • 2 posts
  • Local time:05:40 PM

Posted 09 July 2007 - 10:50 PM

Thanks for the help. NOD32 has now identified this virus as "probably a variant of Win32/VB.BP" so I am still looking around for solutions. My computer is no longer running the malicious processes, but now the issue is how to remove the code from my files so I can see them again.

Again, thank you for any and all help provided

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users