W32/Zafi.D-mm is a Christmas-themed mass mailing virus that uses its own SMTP engine to spread and harvests email addresses from compromised machines. The virus also attempts to replicate via P2P applications.
The “from:” field of the email is spoofed and the body of the Zafi.D emails may be in English, as well as many other languages. Previously, the original Zafi.A used only Hungarian.
The virus is attached to Christmas greeting messages, and attached as a variety of different filenames and extensions. For example based on the initial copies intercepted, the following attachments were identified:
The recipient must manually open the attachment in order for it to be executed, upon which it will attempt to disable any running firewall and antivirus software.
Windows tools, like the Task Manager and the Registry Editor may also be disabled.
Zafi.D has a remote access component that waits for inbound connections on TCP port 8181. Remote users can then upload and execute files via this backdoor.
Fw: boldog karacsony...
Fw: Joyeux Noel!
Fw: Merry Christmas!
MessageLabs detected this virus proactively, using its unique and patented Skeptic™ predictive heuristics technology.
For further information, please visit the MessageLabs website at: www.messagelabs.com/intelligence
MessageLabs is the leading provider of managed email security services to businesses worldwide. The company currently protects more than 8,000 businesses worldwide from email threats such as viruses, spam and other unwanted content before they reach their networks and without requiring additional hardware or software. Powered by a global network of control towers that currently spans the United States, the United Kingdom, Germany, the Netherlands and Hong Kong, MessageLabs scans tens of millions of emails a day on behalf of customers such as The British Government, The Bank of New York, EMI Music, HealthPartners, StorageTek, Air Products and Chemicals, SC Johnson, Conde Nast Publications, Fujitsu and Diageo. For more information on MessageLabs and its industry-leading email security and management services, please visit: www.messagelabs.com
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.