Zafi Worm Spreads Fast With Multi-Language Seasons Greeting

Another version of the Zafi worm strikes, and it has spread fast enough to force anti-virus firms to up their alert warnings.

December 14, 2004

2 Min Read
NetworkComputing logo in a gray background | NetworkComputing

Another version of the Zafi worm hit the Internet Tuesday, and by virtue of its multi-language "Merry Christmas" greetings, managed to spread fast enough to force anti-virus firms to up their alert warnings.

"Around the holidays most people receive an increased number of e-mail greetings from friends and relatives wishing them good cheer," said Gregg Mastoras, a senior security analyst for Sophos, in a statement. "Unfortunately, the Grinches and Scrooges of the virus writing world are looking to steal the joy by infecting the innocent."

Zafi.d, which like earlier variants hails from Hungary, comes as a payload attached to messages with the subject line of "Merry Christmas." Addresses containing .com receive the English version, while other domains, such as .de or .es, receive messages with language-specific headers like "Frhliche Weihnachten!" and "Feliz Navidad!" Other languages include Hungarian, Finnish, Russian, Italian, Polish, Danish, Norwegian, French, and Swedish.

Users must open the attachment to become infected.

Although Zafi.d tries to shut down various anti-virus and firewall products, it doesn't have much of an ulterior motive, and won't, for instance, drop in a Trojan horse to exploit the infected machine later for other purposes, such as spamming or denial-of-service attacks. It uses peer-to-peer file sharing folders as another infection vector, however."There's still a lot of 'crank-like' activity by virus writers," a spokesperson for Computer Associates said. "That's especially prevalent during certain seasons, like the Christmas holidays."

Although some anti-virus firms were still analyzing the worm by mid-morning Tuesday, others had upped their user alerts to account for the quickly-spreading code.

Panda Software, for example, cited the fact that it had received Zafi.d reports from 18 different countries as the reason it was bumping the worm to medium. McAfee also rated it a medium threat, and U.K.-based MessageLabs said that it had already intercepted 25,000 copies of the worm.

Security firms gave out the usual advice for users to update their anti-virus definitions. and forego clicking on attachments in unsolicited messages.

"Computer users should be extra vigilant during the holiday season, taking care not to open any unsolicited files sent by e-mail," recommended Sophos' Mastoras.0

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights