A new variant of the Zafi family disguises itself as a convincing Christmas greeting

14 December 2004

W32/Zafi.D@mm started spreading on 14 December 2004 in e-mail messages containing holiday greetings in several different languages. Due to the considerable distribution this worm has gained in a short period of time W32/Zafi.D@mm has been classified as high risk. W32/Zafi.D@mm was quickly detected by FRISK Software virus analysts and virus signature files providing protection against this threat were released soon thereafter.

This new member of the Zafi family of mass-mailers uses its own SMTP engine to send itself to e-mail addresses harvested from the Windows Address Books of infected computers. W32/Zafi.D@mm tries to avoid detection by excluding e-mail addresses belonging to web administrators, antivirus companies and large Internet companies such as Google and Yahoo.

The worm itself is contained in attachments with the following endings:

.bat .zip .pif .cmd .com

The language of the holiday greeting contained in e-mails carrying W32/Zafi.D@mm depends on the domains of the e-mail addresses to which the worm sends itself. W32/Zafi.D@mm sends itself in the appropriate language to the following country specific domains:

.pl .no .fi .pt .cz .hu .fr .it .lt .sp .mx .ro .de .nl .se .at .es .ru .dk

Following is the English language text of e-mails carrying W32/Zafi.D@mm:

Sender: Pamela M.
Subject: Merry Christmas!
Happy HollyDays!
:) [Sender]

Threat Detection

The latest versions of F-Prot Antivirus detect W32/Zafi.D@mm using virus signature files dated 14 December 2004 or later.

Commtouch® is a leading developer of anti virus software and anti spam filtering services. Commtouch's anti virus computer software, F-PROT Antivirus, is available for a number of operating systems such as Windows, Linux, BSD, Solaris, and AIX as well as the Microsoft Exchange groupware.

1993-2013 © CYREN