New Zafi-D Worm Spreads Christmas Fear

The latest variant in the Zafi worm family has hit the Wild, disguising itself as a Christmas greeting. Discovered on Dec. 13, the worm already has earned 'medium threat alert' status.
Posted December 14, 2004

Sharon Gaudin

The latest variant in the Zafi worm family has hit the Wild, disguising itself as a Christmas greeting.

Zafi-D, which was discovered Monday, Dec. 13, has received a medium threat risk assessment from Panda Software, an anti-virus company with U.S. headquarters in Glendale, Calif.

''Despite its disguise, Zafi-D isn't much of a Christmas present,'' warns Graham Cluley, senior technology consultant for Sophos, Inc., an anti-virus and anti-spam company based in Lynnfield, Mass. ''Users who open the attached file will trigger the virus into action, infecting their PC and potentially opening it up to hacker attack.

''Heartless hackers and virus writers can attack at any time of year, and every computer user should be on the lookout for unusual emails and be wary of ever opening any unsolicited file they are sent via email,'' adds Cluley.

Sophos reports that Zafi-D, which is believed to have been written in Hungary, spreads an attached file inside emails offering seasonal greetings to the recipient. The emails can use a variety of different languages, including English, French, Spanish and Hungarian.

The email messages include: ''FW: Merry Christmas'', ''Happy HollyDays!'' and ''Feliz Navidad!''. Embedded inside the email is a crude animated GIF graphic of two smiley faces. The 'From' field of the email is spoofed.

Analysts from MessageLabs, Inc., a managed email security company based in New York, reports that Zafi-D is a mass mailing virus that uses its own SMTP engine to spread and harvests email addresses from compromised machines. The virus also attempts to replicate via P2P applications.

The recipient must manually open the attachment in order for it to be executed, upon which it will attempt to disable any running firewall and antivirus software, according to MessageLabs. Windows tools, like Task Manager and the Registry Editor, also may be disabled.

Zafi.D has a remote access component that waits for inbound connections on TCP port 8181. Remote users can then upload and execute files via this backdoor.

Sophos' Cluley advises IT managers to warn users to be suspicious about email greetings.

''Having a business environment where it's seen to be acceptable to send and receive joke programs, screensavers, and electronic greetings cards increases the risk of virus infection at any time, but can prove particularly risky during the holiday season,'' Cluley says. ''When your computer data is at risk, it may be wiser to avoid electronic well-wishing, and use paper and ink instead.''

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.