Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

Warning - Zafi.D Spreads Some Festive Misery

  • 15 December, 2004 09:06

<p>MessageLabs, the leading provider of managed email security services to businesses worldwide, is warning computer users against the W32/Zafi.D-mm virus, another variant of the Zafi family of viruses.</p>
<p>MessageLabs have intercepted over 200,000 copies so far. The first copy was intercepted on 14 December 2004 at 7:34am EST (20:34pm GMT 13 December 2004).</p>
<p>General</p>
<p>W32/Zafi.D-mm is a mass mailing virus that uses its own SMTP engine to spread and harvests email addresses from compromised machines. The virus also attempts to replicate via P2P applications.</p>
<p>The “from:” field of the email is spoofed and the body of the Zafi.D emails may be in English, as well as many other languages. Previously, the original Zafi.A used only Hungarian.</p>
<p>The virus is attached to Christmas greeting messages, and attached as a variety of different filenames and extensions. For example based on the initial copies intercepted, the following attachments were identified:</p>
<p>Count Filename
247 card.php3686.cmd
192 postcard.php5682.cmd
67 xmascard.php8238.cmd
15 wishcard.php5147.pif
4 giftcard.id7165.cmd
4 xmascard.php4016.com
3 card.php8077.cmd
2 giftcard.id6325.com
1 giftcard.id3435.cmd
1 giftcard.php1051.com
1 link.postcard.christmas.index.htm1712.bat
1 link.postcard.index.htm6006.cmd
1 postcard.christmas.index.gif0335.cmd
1 postcard.christmas.index.gif4451.cmd
1 postcard.gif0715.cmd
1 postcard.gif2635.bat
1 postcard.index.gif6540.cmd
1 postcard.jpg2157.cmd
1 postcard.php6184.cmd
1 wishcard.php5662.com
1 wishcard.php5762.cmd
1 wishcard.php7500.cmd
1 xmascard.id2055.cmd
1 xmascard.php2544.cmd
1 xmascard.php8505.cmd</p>
<p>The recipient must manually open the attachment in order for it to be executed, upon which it will attempt to disable any running firewall and antivirus software. Windows tools, like the Task Manager and the Registry Editor may also be disabled.</p>
<p>Zafi.D has a remote access component that waits for inbound connections on TCP port 8181. Remote users can then upload and execute files via this backdoor.</p>
<p>Subject lines:
· boldog karacsony...
· Feliz Navidad!
· Fw: boldog karacsony...
· Fw: Joyeux Noel!
· Fw: Merry Christmas!
· Merry Christmas!</p>
<p>Detection</p>
<p>MessageLabs detected this virus proactively, using its unique and patented Skeptic™ predictive heuristics technology.
For further information, please visit the MessageLabs website at:
www.messagelabs.com/intelligence</p>

Most Popular

Market Place