Virus laden email Christmas cards on the loose

Stan Beer
Wednesday, 15 December 2004 19:45

IT Industry - Development

Christmas greeting messages are being used by a new variant of the mass-mailing Zafi virus (Zafi.D) to reach its victims.

So far, email security services provider MessageLabs says, more than 200,000 copies have been intercepted, averaging about 40-45,000 per hour. The first copy was intercepted on Tuesday, 14 December.

The subject line typically has a variant of "Merry Christmas!" or similar greeting in another language and a virus laden attachment.

The worm boasts a unique feature in that it apparently checks the country domains of its victims and sends the virus in that language - mainly European languages are used and English.

W32/Zafi.D-mm is a mass mailing virus that uses its own SMTP engine to spread and harvests email addresses from compromised machines. The virus also attempts to replicate via P2P applications.

The "from:" field of the email is spoofed and the body of the Zafi.D emails may be in English, as well as many other languages.  Previously, the original Zafi.A used only Hungarian.

The virus is attached as a variety of different filenames and extensions, such as card.php3686.cmd; postcard.php5682.cmd; xmascard.php8238.cmd and others.

The recipient must manually open the attachment in order for it to be executed, upon which it will attempt to disable any running firewall and antivirus software. Windows tools, like the Task Manager and the Registry Editor may also be disabled.

Zafi.D has a remote access component that waits for inbound connections on TCP port 8181.  Remote users can then upload and execute files via this backdoor.