The Zafi-D worm, which hit the Wild with great speed this past Monday, is
infecting one out of every 10 emails traveling the Internet, according to
This latest variant of the virulent Zafi family, also is accounting for
72 percent of all virus reports going into the anti-virus labs at Sophos,
Inc., an anti-virus and anti-spam company with U.S. headquarters in
Lynnfield, Mass. The worm is picking up speed. In the 24-hour period
between Tuesday and Wednesday, Zafi-D accounted only for 65 percent of
all virus reports.
”This is bad,” says Gregg Mastoras, a senior security analyst at
Sophos. ”It’s actually been picking up speed… Businesses will have to
start to be more vigilant about what they let through their gateway. That
will slow down the effect of it.”
Mastoras says Zafi-D is gaining so much ground because it’s taking
advantage of the holiday season. The worm harvests email addresses from
infected computers and then spoofs the sender’s address so it appears
that the email is coming from a friend, relative or co-worker. The con
doesn’t stop there, though. Zafi-D also contains a subject line of ‘Merry
Christmas’, ”Happy HollyDays!” and ”Feliz Navidad!”.
”You’re getting this from people you generally think are safe and
secure,” notes Mastoras. ”With the message of ‘Merry Christmas’, people
are really being taken in on this one.”
He adds that there hasn’t been a worm that spreads this fast since Netsky
and Sasser first hit the Wild.
Zafi-D has received a ‘medium threat’ level status from Panda Software,
an anti-virus company with U.S. headquarters in Glendale, Calif.
Analysts from MessageLabs, Inc., a managed email security company based
in New York, reports that Zafi-D is a mass-mailing virus that uses its
own SMTP engine to spread and harvests email addresses from compromised
machines. The virus also attempts to replicate via P2P applications.
The recipient must manually open the attachment in order for it to be
executed, upon which it will attempt to disable any running firewall and
antivirus software, according to MessageLabs. Windows tools, like Task
Manager and the Registry Editor, also may be disabled.
Zafi.D has a remote access component that waits for inbound connections
on TCP port 8181. Remote users can then upload and execute files via this
Sophos analysts advise IT managers to warn users to be suspicious about