Warning: Zafi.D Spreads Some Festive Misery

MessageLabs, the leading provider of managed email security services to businesses worldwide, is warning computer users against the W32/Zafi.D-mm virus, another variant of the Zafi family of viruses. MessageLabs have intercepted over 25,000 copies so far. The first copy was intercepted on 13th December 2004 at 20:34 GMT.

General
W32/Zafi.D-mm is a Christmas-themed mass mailing virus that uses its own SMTP engine to spread and harvests email addresses from compromised machines. The virus also attempts to replicate via P2P applications.

The “from:” field of the email is spoofed and the body of the Zafi.D emails may be in English, as well as many other languages. Previously, the original Zafi.A used only Hungarian.

The virus is attached to Christmas greeting messages, and attached as a variety of different filenames and extensions. For example based on the initial copies intercepted, the following attachments were identified:

Count
Filename

247
card.php3686.cmd

192
postcard.php5682.cmd

67
xmascard.php8238.cmd

15
wishcard.php5147.pif

4
giftcard.id7165.cmd

4
xmascard.php4016.com

3
card.php8077.cmd

2
giftcard.id6325.com

1
giftcard.id3435.cmd

1
giftcard.php1051.com

1
link.postcard.christmas.index.htm1712.bat

1
link.postcard.index.htm6006.cmd

1
postcard.christmas.index.gif0335.cmd

1
postcard.christmas.index.gif4451.cmd

1
postcard.gif0715.cmd

1
postcard.gif2635.bat

1
postcard.index.gif6540.cmd

1
postcard.jpg2157.cmd

1
postcard.php6184.cmd

1
wishcard.php5662.com

1
wishcard.php5762.cmd

1
wishcard.php7500.cmd

1
xmascard.id2055.cmd

1
xmascard.php2544.cmd

1
xmascard.php8505.cmd

The recipient must manually open the attachment in order for it to be executed, upon which it will attempt to disable any running firewall and antivirus software.
Windows tools, like the Task Manager and the Registry Editor may also be disabled.


Zafi.D has a remote access component that waits for inbound connections on TCP port 8181. Remote users can then upload and execute files via this backdoor.

Subject lines:

boldog karacsony…
Feliz Navidad!
Fw: boldog karacsony…
Fw: Joyeux Noel!
Fw: Merry Christmas!
Merry Christmas!
Detection

MessageLabs detected this virus proactively, using its unique and patented Skepticâ„? predictive heuristics technology.

For further information, please visit the MessageLabs website at: www.messagelabs.com/intelligence

About MessageLabs

MessageLabs is the leading provider of managed email security services to businesses worldwide. The company currently protects more than 8,000 businesses worldwide from email threats such as viruses, spam and other unwanted content before they reach their networks and without requiring additional hardware or software. Powered by a global network of control towers that currently spans the United States, the United Kingdom, Germany, the Netherlands and Hong Kong, MessageLabs scans tens of millions of emails a day on behalf of customers such as The British Government, The Bank of New York, EMI Music, HealthPartners, StorageTek, Air Products and Chemicals, SC Johnson, Conde Nast Publications, Fujitsu and Diageo. For more information on MessageLabs and its industry-leading email security and management services, please visit: www.messagelabs.com




Share this