The New Zafi.D Worm Wishes You “Happy Holidays”

PandaLabs has detected the appearance of the new Zafi.D worm, which spreads in messages that pass themselves off as Christmas greetings, as well as through P2P (peer-to-peer) file sharing applications. As we are in the run up to Christmas, this type of social engineering could help this new malicious code to infect a large number of computers. In fact, Panda Software’s international tech support network has already stated to receive reports of incidents caused by Zafi.D in a large number of countries. For this reason, users are advised to take precautions with any email messages they receive. Panda Software clients who already have the new TruPrevent Technologies installed have been protected since the worm first emerged, as these preventive technologies have been able to detect and block Zafi.D without needing to be able to identify it first (more information about the new TruPrevent Technologies at

Zafi.D reaches computers in an email message whose subject is a person’s name selected at random and the message text Happy holidays! in the language corresponding to the domain of the email address the message is being sent to. Therefore, if the message is sent to an email address ending in .es, it will be written in Spanish, whereas if it ends with the domain .de, the text will be written in German. Similarly, these email messages contain an attached file with a variable name, selected from a long list of options.

If the user runs this file, which actually contains Zafi.D, a false error message is displayed on screen and the worm sends itself out via email, using its own SMTP engine, to all the addresses it finds in the files with certain extensions stored on the affected computer. This worm ends any processes running in memory that contain the text firewall or virus. Similarly, it prevents access to applications that contain the text reged, msconfig or task.

What’s more, Zafi.D inserts several entries in the windows registry in order to ensure it is run whenever the computer is started up.

In order to spread via P2P application, Zafi.D copies itself to all the folders in the C: drive whose path contains the text share, upload or music. These names of these files are winamp 5.7 new!.exe or ICQ 2005a new!.exe.

Due to the possibility of being infected by Zafi.D, Panda Software advises users to take precautions and update their antivirus software. Panda Software has made the corresponding updates available to its clients to detect and disinfect this new malicious code.

Panda Software’s clients can already access the updates for installing the new TruPrevent Technologies along with their antivirus protection, providing a preventive layer of protection against this and other new malicious code. For users with a different antivirus program installed, Panda TruPrevent Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection. More information about TruPrevent Technologies at

Don't miss