Holiday Email spreads a Zafi virus variant!!

[techie101]

Beware of any holiday greeting with the word HOLLYDAYS mispelled.   Read the release from CNN:

(CNN) -- Grinch-like virus writers are spreading their version of holiday cheer by embedding a variant of the so-called "Zafi" e-mail worm inside electronic greetings.

E-mails with the misspelled attachment "Happy Hollydays" arrived in inboxes Tuesday, with the subject line "Merry Christmas." A worm is hiding inside the attachment.

It propagates itself via e-mail contact lists when the attached file is opened and could render infected computers more vulnerable to spammers or hackers.

The worm spread overnight across 18 European countries, including Great Britain, France, Germany and Italy, but was not expected to make waves in the United States. The Europe-U.S. time difference gave antivirus companies stateside some breathing room.

"Zafi hit the European countries hard and fast this morning at 4 a.m. their time," said Patrick Hinojosa, CTO of the security software company Panda Software, "People open e-mail mainly at work though, so companies here in the U.S. would have already updated their virus protection by the time Americans were waking up."

Hinojosa said as soon as a virus is detected, security software companies scramble to reverse-engineer the code, create a detection file, and then send updated virus definitions out to clients. Most large corporations download the latest virus definitions in the wee hours, before employees arrive.

The first version of Zafi was detected last April. This is the fourth variant. The latest one, however, has a clever twist: It translates "Merry Christmas" into various languages as determined by the domain name. The worm knows that a .fr domain would probably be a French recipient, whereas a .de person would most likely speak German. An embedded translation program matches the domain name with the appropriate holiday greeting, thus increasing the likelihood of the recipient opening the mail.

"We call it social engineering," said Joe Hartmann, a director of North American Research at the antivirus company Trend Micro. "Are you going to open a message with Swedish text in it if you don't speak Swedish? Probably not. But you might if it were in your own language."

Hartmann said that this latest worm does not stack up to the big worms this year, such as Bagle, MyDoom and Netsky, which each had millions in distribution worldwide. Hartmann said Zafi has "only in the thousands, globally."

So far antivirus companies are issuing "medium" threat warnings, and will continue to monitor the worm's spread.


If you do not have your Avast set to auto download the VPS database, do so manually now.

[inthewildteam]

Secunia are issuing alerts also Techie101,

recently went to "high risk"

http://secunia.com/virus_information/13871/zafi.d/

[RejZoR]

Haven't got a single mail with Zafi-D variant on my Gmail account
They reject all attachements with malicious extensions (like scr,com,vbs and so on)

[neal62]

Here is some more information about this infection from a2 security:

General
Worm.Win32.Zafi.d is a worm that spreads using filesharing tools and emails. The worm is compressed using FSG and has a size of 11,745 bytes.
As soon as Worm.Win32.Zafi.D was started it copies itself to the Windows System directory using the file name "Norton Update.exe". To ensure its startup on every reboot of the computer it uses the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Wxp4"="%system%\Norton Update.exe"
The worm creates several other files with packed copies of it self or with components the worm uses. These files are:

%system%\ .DLLC:\s.cm
Spreading
Worm.Win32.Zafi.D searches for files that extensions contain one of the following strings to extract mail addresses from them:

htm wab txt dbx tbb asp php sht adb mbx eml pmr fptinb
Email addresses containing one of the following strings will be ignored:

yaho google win use info help admi webm micro msn hotm suppor syman viru trend secur panda cafee sopho kasper
Found email addresses are saved in random named files (8 random chars + ".dll") within the Windows System directory.

The worm mails try to stealth theirself as christmas greetings. Depending on the email address the worm uses diffrent texts in diffrent languages.

Beside the normal email spreading the worm can use several FileSharing networks for spreading. Therefore the worm copies itself to directories that contain the following strings within their names:

share uploadmusic
In doing so the worm uses the filenames "winamp 5.7 new!.exe" or "ICQ 2005a new!.exe".

Payload
To protect itself the worm will try to terminate several anti-virus tools and programs that names contain one of the following strings:

reged msconfig task
Beside that self defending behaviour Worm.Win32.Zafi.D includes a backdoor component listening to port 8181. This backdoor allows attackers to upload and execute files to an infected machine.

Other special features
Currently no special features are known.

[watchthisspace]

I havent had a email virus @ all (yet)