A new variant of the Zafi family disguises itself as a convincing Christmas greeting
W32/Zafi.D@mm started spreading on 14 December 2004 in e-mail messages containing holiday greetings in several different languages. Due to the considerable distribution this worm has gained in a short period of time W32/Zafi.D@mm has been classified as high risk. W32/Zafi.D@mm was quickly detected by FRISK Software virus analysts and virus signature files providing protection against this threat were released soon thereafter.
This new member of the Zafi family of mass-mailers uses its own SMTP engine to send itself to e-mail addresses harvested from the Windows Address Books of infected computers. W32/Zafi.D@mm tries to avoid detection by excluding e-mail addresses belonging to web administrators, antivirus companies and large Internet companies such as Google and Yahoo.
The worm itself is contained in attachments with the following endings:
The language of the holiday greeting contained in e-mails carrying W32/Zafi.D@mm depends on the domains of the e-mail addresses to which the worm sends itself. W32/Zafi.D@mm sends itself in the appropriate language to the following country specific domains:
Following is the English language text of e-mails carrying W32/Zafi.D@mm:
The latest versions of F-Prot Antivirus detect W32/Zafi.D@mm using virus signature files dated 14 December 2004 or later.