A new member of the Zafi family is using a fake message of holiday cheer to spread, several antivirus firms warned Tuesday.
Glendale, Calif.-based PandaLabs issued an orange alert for W32.Zafi-D Tuesday. Most AV firms consider the worm a medium risk.
"Zafi-D reaches computers in an e-mail message whose subject is a person's name selected at random and the message text 'Happy Holidays!' in the language corresponding to the domain of the e-mail address the message is being sent to," Panda said in its advisory. "Therefore, if the message is sent to an e-mail address ending in '.es,' it will be written in Spanish, whereas if it ends with the domain '.de,' the text will be written in German. Other languages include, Hungarian, Finnish, Russian, Italian, Polish, Danish, Norwegian, French and Swedish."
Similarly, these email messages contain an attached file with a variable name selected from a long list of options, Panda said.
"If the user runs this file, which actually contains Zafi-D, a false error message is displayed on screen and the worm sends itself out via e-mail, using its own SMTP engine, to all the addresses it finds in the files with certain extensions stored on the affected computer," the advisory said. "This worm ends any processes running in memory that contain the text firewall or virus. Similarly, it prevents access to applications that contain the text 'reged,' 'msconfig' or 'task.' What's more, Zafi-D inserts several entries in the windows registry in order to ensure it is run whenever the computer is started up."
Panda said the worm also spreads through peer-to-peer (P2P) file-sharing networks, copying itself to all the folders in the C: drive whose path contains the text "share," "upload" or "music." The names of these files are winamp 5.7 new!.exe or ICQ 2005a new!.exe.
Lynnfield, Mass.-based Sophos said Zafi-D was probably written in Hungary and the e-mails it travels in can use a variety of different languages including English, French, Spanish and Hungarian. E-mails can contain such messages as "FW: Merry Christmas," "Happy HollyDays!" and "Feliz Navidad!" Embedded in the e-mail is a crude animated GIF graphic of two smiley faces.
"Despite its disguise, Zafi-D isn't much of a Christmas present. Users who open the attached file will trigger the virus into action, infecting their PC and potentially opening it up to hacker attack," Graham Cluley, senior technology consultant for Sophos, said in a statement. "Heartless hackers and virus writers can attack at any time of year, and every computer user should be on the lookout for unusual e-mails and be wary of ever opening any unsolicited file they are sent via e-mail."
Santa Clara, Calif.-based McAfee added in its advisory: "This worm does not use any exploit code in order to execute the mail attachment automatically. A user has to double click on an infected attachment or a file shared via P2P to infect the machine. For machines where the worm has overwritten binaries associated with AV or firewall software, it would be very easy for a user to mistakenly execute the worm."