A fresh variant of the Zafi email worm has been spotted masquerading as an e-Christmas card.
The email card, however, contains the Zafi-D virus hidden in a file attached.
The worm also boasts another unique feature in that it checks the country domains of its victims and sends the virus in that language. Its multilingual talent extends to 15 languages covering most of Europe.
Finnish security company F-Secure’s Mikko Hypponen, Director, Anti-Virus Research, said that for the first few hours following discovery reports of infections are coming mainly from Europe. However given that the attachment on the email needs to be launched manually and most of the rest of the world is asleep this is hardly surprising. MessageLabs claims to have stopped around 25,000 copies so far.
Even so, earlier viruses with multilingual capabilities, such as the German and English speaking Sober, are more successful within Europe. ‘In France, for example, people may have grown used to not opening short chatty emails with attachments in English, but when they see something in their own language, they’re more likely to open it.’
The virus looks like standard fayre these days: the email spoofs the sendeer address, and uses short festive texts such as ‘Merry Christmas!’ and ‘Happy Hollydays!’, with an attachment using file extensions including .pif, .cmd, .bat, or .com.
One run, the virus copies itself locally and into shared folders used in peer-to-peer software. It also pops up a dialog box with the message ‘Error in packed file!’.
It differs from earlier variants of the Zafi worm in that it installs a backdoor. Hypponen said that the backdoor component does not have a method of notifying the author of the IP address of infected machines but that this would not prove a problem. The author could start scanning the Internet for systems with the port opened by the virus when he or she is ready to use them. Indeed such a reporting utility could actually be a drawback as antivirus companies could trace where the notifications are headed.
Other differences are that while the virus shuts down processes it finds being run by security software, as do many other viruses, it additionally overwrites the files with which they are associated. This means that when the system is rebooted, instead of antivirus and firewall software starting up, copies of the virus will.
Zafi-B was the most prolific virus for many months between June and September. It contained inside the code a political message calling for the death penalty in Hungary. Zafi-C contained a message urging the Hungarian Priime Minister to keep Hungary out of the EU. This failed as Hungary is now a member, and Zafi-D does not appear to carry any messages. However, Hypponen said his hunch is that this latest strain is by the same hand.
F-Secure currently offers protection against Zafi-D. Users should ensure their antivirus software is up to date to avoid infection.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.
