A new variant of the Zafi worm has spread rapidly since the weekend, trampling over firewalls and other security...
measures with a political message in several languages. First reported in the wild Friday, several antivirus vendors are calling W32.Zafi.B a medium-level threat due to its speed.
"This worm is tricky, as it has a feature that can close down firewalls and antivirus programs in order to help itself spread further," said Mikael Albrecht, product manager of Helsinki, Finland-based antivirus firm F-Secure Corp. "Another interesting thing about this worm is that the infected messages come in many different languages. As most of the widely spread worms use only English, this feature may confuse the user to open the message, and the worm spreads on."
Zafi-B spreads by e-mail in various .pif, .exe, or .com attachments using such languages as English, Italian, Spanish, Russian, Swedish, German or Finnish. It also gathers addresses from users' address books and then spreads by sending itself to those addresses.
When the worm activates, it copies itself to the Windows system directory with a random .dll and random .exe name. After this, it scans through all directories in the system and replicates as either "winamp 7.0 full_install.exe" or "Total Commander 7.0 full_install.exe" to all folders that contain "share" or "upload" in their name.
Zafi-B wipes out any application with the words "firewall" or "virus" in it. These files are overwritten with a copy of the worm. Several Windows tools, like Task Manager and Registry Editor, are disabled when the worm is active. Zafi-B opens these files with exclusive locking to prevent anything else from opening them.
According to security software vendor Sophos Inc. of Lynnfield, Mass., the worm can display a message box on screen containing the following Hungarian text: "A hajlektalanok elhelyezeset, a bunteto torvenyek szigoritasat, es a HALALBUNTETES MEGSZAVAZASAT koveteljuk a kormanytol, a novekvo bunozes ellen! 2004, jun, PÉcs,(SNAF Team)."
The English translation is: "We demand that the government accomodates the homeless, tightens up the penal code and VOTES FOR THE DEATH PENALTY to cut down the increasing crime. Jun. 2004, PÉcs (SNAF Team)."
"The Zafi-B worm has accounted for over 60% of the reports to Sophos's global network of monitoring stations over the last 24 hours, making it the most widespread e-mail worm at the moment," said Graham Cluley, Sophos' senior technology consultant. "All computer users should ensure their defenses are in place against the latest viruses. That not only includes regular antivirus updates to protect against emerging threats, but also running a policy at your e-mail gateway to block unwanted executable code from entering your business."
Antivirus experts believe the worm originated in Hungary. While the new variant carries a pro-death penalty message, Zafi-A called for Hungarian patriotism.