Zafi worm variant hides behind Christmas cheer

IDG News Service - A new version of the Zafi e-mail worm is spreading Christmas wishes along with its malicious code, according to antivirus software companies.
Zafi.D is a mass-mailing worm that arrives in a ZIP file attached to e-mail messages with the subject "Merry Christmas." Instead of a gift, however, the e-mail package delivers worm code that infects Microsoft Windows systems on which it is opened. Antivirus companies, including McAfee Inc., Sophos PLC and Computer Associates International Inc., issued warnings about the new worm and updated antivirus signatures to stop it.
In addition to the Christmas well wishes in the subject line, Zafi-generated e-mails contain the message "Happy Hollydays" and are signed "Jaime."
CA researchers have collected almost 100 samples of Zafi.D since spotting the new worm variant early today, said Stefana Ribaudo, manager of the company's eTrust Security Management division. At McAfee Inc., about 50 samples of the worm were collected, mostly from Europe, said Vincent Gullotto, vice president of McAfee's Anti-Virus Emergency Response Team.
Both companies rated Zafi.D a "medium" threat, indicating that a number of samples have been spotted and that the worm has a destructive payload.
Like most other mass-mailing e-mail worms, Zafi.D modifies the configuration of Windows machines, shutting down other security software and harvesting e-mail addresses from files on the infected computer. After it harvests e-mail addresses, Zafi uses a built-in Simple Mail Transfer Protocol to send e-mail to those addresses with copies of the worm code, antivirus companies said.
The worm has had more luck spreading than earlier Zafi variants, possibly because of its well-timed and appealing subject line and message, which are good examples of what antivirus researchers call social engineering -- subtle tricks used to gain victims' confidence, Ribaudo said.
However, the increase in reports could be due to an initial spam distribution of the worm. The similarity of Zafi.D to its predecessors -- and to other mass-mailing worms -- means that it's likely that few examples of the new worm are actually getting through to e-mail in-boxes, Gullotto said.
Antivirus experts advised e-mail users to update their antivirus software to obtain the latest virus definitions for Zafi.D and to use extreme caution when handling unexpected e-mail attachments.

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.