‘Xmas’ Zafi.D likes music
p2pnet.net News:- Here comes a Message for Christmas, but it’s there’s no good cheer in it.
Rather, it’s Zafi, back in version D as an Xmas greeting. And like the earlier Zafi.B, it likes p2p.
“Zafi.D enumerates all the directories in the system and copies itself as either ‘winamp 5.7 new!.exe’ or ‘ICQ 2005a new!.exe’ to the ones that contain ’share’, ‘upload’ or ‘music’ in their name,” says F-Secure.
When we reported it on Tuesday, it was in one of every 10 emails. The frequency has now dropped to about one in every 30, says Sophos, but that doesn’t mean Zafi.D on its way out.
"Even though the number of infected emails it is generating is reducing, we wouldn’t be surprised to see the Zafi-D worm still spreading successfully in the wild for months to come," according Sophos’ Graham Cluley.
Probably born in Hungary, the multi-lingual W32/Zafi-D spreads an attached file in emails offering seasonal greetings such as FW: Merry Christmas’, ‘Happy HollyDays!’ and ‘Feliz Navidad!’.”
It’s in different languages including English, French, Spanish and Hungarian and carries an animated .gif of two ‘smiley’ faces and the Christmas messages are attached as .pif, .cmd, .bat, .com or .zip files.
Zafi.B came with an attachment telling anyone opened it, "Don’t worry be happy."
It grabbed your email application and had a distinct liking for p2p programs.
===================
See:-
copies itself – F-Secure Virus Descriptions : Zafi.D, F-Secure, December 14, 2004
dropped – Zafi-D worm threat begins to subside, but Sophos warns users not to be complacent, Sophos, December 17, 2004
p2p programs – Zafi.B: newest e-worm threat, p2pnet, June 15, 2004
