new worm in the wild

SecurityTech · Jun 13, 2004

I'm trying to find some information about a new worm, or variation of an old worm that is out in the wild. Here is what I know.

I personally have received three different suspicious e-mails today each with different formats and attachments (.att, .pif, and a .com).

I became aware of this as my brother says he got infected from my aunt. The attachment he opened from her was a .pif... my e-mail from her was entirely different, with a .att attachment. My cousin got infected from the same aunt but the format of the e-mail was different than what my brother got and what I received.

This is a mass mailing worm. Both my brother and cousin are inundated with delivery notifications.

Norton did not catch this.
AVG doesn't catch this.
Housecall at Trendmicro doesn't catch this.
TDS-3 doesn't catch this.

I have scanned all three attachments that I have with these programs and found nothing.

This worm also appears to disable NAV and it does not spoof the return address (at least not in the cases I've seen).

How can I help these people clean a virus that I can't identify?

What's the best way to submit these files to the appropriate people so these programs will pick up on it?

Paul Wilders · Jun 13, 2004

SecurityTech,

Please zip/RAR the files in question (password protected) and attach them to an email to me (my addy is in my profile - left bottom corner). I'll make sure it will be analyzed and submitted to all major AV/AT companies and provide results.

regards.

paul

SecurityTech · Jun 13, 2004

Thanks Paul

I've sent that off. I appreciate the help.

Paul Wilders · Jun 13, 2004

My pleasure

regards.

paul

Stephan123 · Jun 13, 2004

can you send me the samples to? my mailadress ****f3@xs4all.nl

SecurityTech · Jun 13, 2004

new update.

AVG now identifies these files. The virus database 461 for 6/12/2004 identifies this as I-worm/Zafi.B

Housecall and TDS-3 still don't pick this up.

AVG doesn't identify the .ATT file... not entirely sure that it is a virus... but the whole e-mail was suspicious. Still checking it out.

gerardwil · Jun 13, 2004

Zafi Worm Warned:

http://times.hankooki.com/lpage/tech/200406/kt2004061320092511800.htm

Stephan123 · Jun 13, 2004

Zafi.B in my email

Jooske · Jun 17, 2004

http://www.f-secure.com/v-descs/zafi_b.shtml
http://www.f-secure.com/news/items/news_2004061400.shtml
Good description and special cleaners.
Had emails with them already on the 11th, so i started searching for info by then already.
Part of the results are the many emails we also get with a line telling there is an urgent voicemal waiting or just a link withough further words. Probably from infected users spitting out thir "joy", but fortunately without the infection itself.
I hope for the webmasters of the sites named are innocent of al the accusitions seen in their guestbooks.

Log in or Sign up

new worm in the wild

SecurityTech Registered Member

Paul Wilders Administrator

SecurityTech Registered Member

Paul Wilders Administrator

Stephan123 Registered Member

SecurityTech Registered Member

gerardwil Registered Member

Stephan123 Registered Member

Jooske Registered Member

Log in or Sign up

new worm in the wild

SecurityTech Registered Member

Paul Wilders Administrator

SecurityTech Registered Member

Paul Wilders Administrator

Stephan123 Registered Member

SecurityTech Registered Member

gerardwil Registered Member

Stephan123 Registered Member

Jooske Registered Member

Useful Searches