Zafi Spreads Like Crazy

The Zafi.d worm continued to sweep through the Internet Wednesday, creating such a flood of messages as it replicated that by one security vendor's estimate, it accounted for 10 percent of the world's mail.

"Over 1 in every 10 e-mails traveling across the Internet at the moment is infected with Zafi.d," said Graham Cluley, a senior technology consultant at Sophos, in a statement. "Although anti-virus protection is available it seems there must be many home users who have been complacent and are allowing their PCs to belch out more and more infected e-mails."

Zafi.d, which probably hails from Hungary, used an old trick -- it posed as a Christmas message -- combined with a relatively new one -- it customized itself to the likely language of the recipient -- to give it an edge, analysts said. "Zafi uses social engineering effectively, above all in adapting the message to the recipient's language," said Luis Corrons, the head of Panda Software's threat lab, in another statement.

Zafi.d is also more of a threat than first reported Tuesday when the worm started circulating. After additional analysis, anti-virus vendors noted that Zafi opens a backdoor port on infected computers -- port 8181 -- and tries to download additional code from a remote server.

"The danger is that infected PCs could come under the control of remote hackers," added Sophos' Cluley. "Those hackers could use the legions of infected PCs to do whatever they want: destroy data, steal information, launch spam campaigns, or distributed denial-of-service attacks."Zafi.d also seems to try to connect to microsoft.com, a possible sign of a denial-of-service (DoS) attack.

Users who believe their PCs may have been infected by the worm can use any of several disinfectant tools available on the Web free of charge. Symantec, for instance, has posted its version here. (Note: Symantec's named this worm Erkez.d; all other anti-virus vendors, however, call it Zafi.d.)