Most antivirus firms deem Zafi-C a low risk to enterprises. But one expert warns each new variant is becoming more sophisticated and malicious; that companies shouldn't dismiss the potential for more damaging strains in the future.
"Each new version of the Zafi worm we see has become more sophisticated and more malicious in its intent," Graham Cluley, senior technology consultant for Lynnfield-based antivirus firm Sophos, said in a statement. "The good news is that at the moment Zafi-C is not spreading at anything like the rate of its predecessor. But companies should still ensure they are keeping their antivirus up to date and practice safe computing at all times."
The prime target of Zafi-C is Hungarian Prime Minister Ferenc Gyurcsany. It has also set its sights on the Google and Microsoft Web sites, according to antivirus firms McAfee Inc. of Santa Clara, Calif., Panda Software of Glendale, Calif. and F-Secure Corp. of Finland.
The worm spreads by e-mail using subjects lines like "Re: Hey buddy!" and "Re: very sick little girl!" If opened, the attached file is designed to set off a distributed denial of service attack against www.google.com, www.microsoft.com and www.miniszterelnok.hu.
Sophos said the worm tries to pique the interest of recipients and encourage them to click on the malicious attachment with such messages as:
- "Please, send forward this letter, and you can give a little hope to a very sick little girl, who is dying in the hospital,
- in 2004. Please read the full story, and send forward!!" (xxxx)
- "Your lover is waiting for you tomorrow, so please hurry, hurry because.." (xxxx)
- "Miss you baby! Whats you doing tomorrow? I`m off, so... I thought maybe we can... Call me okay, before it's too late..."(xxxx)
F-Secure said Zafi-C collects e-mail addresses from the Windows address book and different files with such extensions as .htm, .txt and .mbx. "The worm composes the messages it sends based on complex rules in many different languages," the company said. "The e-mail attachments might have double extensions (composed from .doc/.txt and .exe/.scr)."
Panda said while the worm is a low risk, it is difficult to recognize because it doesn't display any messages or warnings that indicate it has reached the computer.
Zafi-C's most immediate predecessor, Zafi-B, has had a healthy run since it was first detected in June; it carries a message calling for the death penalty to be introduced in Hungary.