Saturday, September 25, 2021

New Zafi-D Worm Spreads Christmas Fear

The latest variant in the Zafi worm family has hit the Wild, disguising

itself as a Christmas greeting.

Zafi-D, which was discovered Monday, Dec. 13, has received a medium

threat risk assessment from Panda Software, an anti-virus company with

U.S. headquarters in Glendale, Calif.

”Despite its disguise, Zafi-D isn’t much of a Christmas present,” warns

Graham Cluley, senior technology consultant for Sophos, Inc., an

anti-virus and anti-spam company based in Lynnfield, Mass. ”Users who

open the attached file will trigger the virus into action, infecting

their PC and potentially opening it up to hacker attack.

”Heartless hackers and virus writers can attack at any time of year, and

every computer user should be on the lookout for unusual emails and be

wary of ever opening any unsolicited file they are sent via email,” adds

Cluley.

Sophos reports that Zafi-D, which is believed to have been written in

Hungary, spreads an attached file inside emails offering seasonal

greetings to the recipient. The emails can use a variety of different

languages, including English, French, Spanish and Hungarian.

The email messages include: ”FW: Merry Christmas”, ”Happy HollyDays!”

and ”Feliz Navidad!”. Embedded inside the email is a crude animated GIF

graphic of two smiley faces. The ‘From’ field of the email is spoofed.

Analysts from MessageLabs, Inc., a managed email security company based

in New York, reports that Zafi-D is a mass mailing virus that uses its

own SMTP engine to spread and harvests email addresses from compromised

machines. The virus also attempts to replicate via P2P applications.

The recipient must manually open the attachment in order for it to be

executed, upon which it will attempt to disable any running firewall and

antivirus software, according to MessageLabs. Windows tools, like Task

Manager and the Registry Editor, also may be disabled.

Zafi.D has a remote access component that waits for inbound connections

on TCP port 8181. Remote users can then upload and execute files via this

backdoor.

Sophos’ Cluley advises IT managers to warn users to be suspicious about

email greetings.

”Having a business environment where it’s seen to be acceptable to send

and receive joke programs, screensavers, and electronic greetings cards

increases the risk of virus infection at any time, but can prove

particularly risky during the holiday season,” Cluley says. ”When your

computer data is at risk, it may be wiser to avoid electronic

well-wishing, and use paper and ink instead.”

Similar articles

Latest Articles