 |
 Zafi-D worm wishes you Happy Holidays
December 16, 2004
New version of mass-spreading worm tries to fool email users into opening malicious attachment.
People using e-mails have probably learnt the lesson not to open attachments contained in unsolicited emails, but the tempting subject line with holiday greetings and embedded eye-catching images may lure them to do the contrary.
An email worm which carries a Christmas greeting began spreading fiercely on Wednesday. The Zafi's fourth incarnation - version "D" arrives as an infectious attachment to emails written in a variety of different languages, including English, Spanish, Russian, Swedish and Hungarian. It is believed that the worm has originated in Hungary, and been using its own embedded SMTP engine to send itself to the harvested email contacts stored on infected machines. To make mail more attractive to the potential victims, the virus translates the text contained in subject field into the native language spoken by mail recipient.
To propagate, it attempts to terminate firewall and anti-virus apps on computer hijacked by its malicious code. Several Windows tools, like Task Manager and Registry Editor, are disabled when the worm is active. Even worse, Zafi-D has also a back door that listens on port 8181. Crackers can upload and execute files using this backdoor, which turns infected machines into zombies.
Typically infected emails have subject lines such as 'FW: Merry Christmas', 'Happy HollyDays!' and 'Feliz Navidad!'. The attachment name is made up of the word "postcard" in the respective language, random numbers and the extension .pif, .cmd, .bat, or .com. Windows users who open the attached file get infected.
McAfee Avert Vice President Vincent Gullotto downplayed the impact of Zafi.D, telling that after a burst at the start, the worm's spread appeared to have run its course as of today. Sophos, UK-based security software company, said today that the virus was accounting for more than 75 percent of all virus reports sent to the company from around the world in the last day.
Anti-virus firm MessageLabs has blocked over 25,000 copies of Zafi-D. The multilingual nature of Zafi-D helps to explain its relative success in spreading. Most anti-virus firms rate Zafi-D as a medium to high risk threat.
Even during the holiday period, people should not forget to stick to the simple precautionary measures: never open file attachments contained in any letters coming from unknown persons, update AV tools capable of scanning the incoming mail for the presence of dangerous elements and monitor and install latest patches and updates for their operating systems, the most of which are Windows product family.
|
|
