worm_ZAFI.D

As of December 14, 2004 8:13 AM PST, TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_ZAFI.D. TrendLabs has received several infection reports indicating that this malware is spreading in Germany, France and Spain.

The following is a brief overview of the worm process:

This worm spreads via email or peer-to-peer (P2P) file-sharing networks.

Here is a sample of the email:

Subject:
Re: Merry Chrsitmas!

Message body:
Happy Hollydays!

Pamela M.

Attachment:
postcard.index.php1111.pif

Note that the language of the email may change depending on the domain of the recipients.

TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy 137
Official Pattern Release 2.297.00
Damage Cleanup Template 467

For more information on WORM_ZAFI.D, you can visit our Web site at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D

 

sorry about this post--I seen this was already posted.I tried to delete it but when I clicked edit I didnt see a way to delete it.

 

That's OK, RitaANN, Lord Bless, Happy Holidays. Maybe this worm is so bad it deserves "double coverage" here. I just got this from TrendMicro Newsletter:

"Daffy ZAFI - WORM_ZAFI.D (Medium Risk)"

WORM_ZAFI.D is a memory-resident, mass-mailing worm that is currently spreading in-the-wild. On December 14 Trend Micro declared a Yellow Alert to control the spread of this worm. It uses its own built-in Simple Mail Transfer Protocol (SMTP) engine to send malicious Christmas greetings. It runs on Windows 98, ME, NT, 2000, and XP.

Upon execution, this mass-mailing, memory-resident worm displays a message box. It drops a copy of itself as NORTON UPDATE.EXE, and drops copies of itself as .DLL files with 8-character random file names. Some .DLL files are copies of itself while others are email log files in the Windows system folder. It also drops a log file called S.CM in the root folder. It then adds a registry entry that allows it to automatically execute at every system startup.

This worm drops a copy of itself using either of the following filenames: "WINAMP 5.7 NEW!.EXE" or "ICQ 2005A NEW!.EXE"

It drops the file in folders that contain one of the following strings: "share" "upload" or "music"

Most file-sharing applications, such as KaZaA, Shareaza, and Morpheus, use folder names with these strings when sharing files through peer-to-peer (P2P) networks. P2P users who search for Winamp and ICQ installers may inadvertently download this dropped ZAFI copy instead.

This worm uses its own built-in Simple Mail Tranfer Protocol (SMTP) engine, which allows it to send malicious Christmas greetings without having to use other email applications like Outlook Express. The language used in the message body is dependent on the domain of the email recipient. For example, When the Top Level Domain of the user's email address is .COM, the message is sent in English. When the Top Level Domain of the user's email address is .DE, the message is sent in German. Please visit the Technical Details of this virus description to view samples and screenshots of the email it sends.

It searches the following files for target email addresses: ADB ASP DBX EML FPT HTM INB MBX PHP PMR SHT TBB TXT WAB

However it skips email addresses that contain the following strings:admi cafee google help hotm info kasper micro msn panda secur sopho suppor syman trend use viru webm win yaho

This worm terminates antivirus and firewall programs. It searches for folders and files from all folders found on the system. It then reads the contents of the files and checks whether the string “firewall or virus” exists. If three or more files contain the specific string, the folder name is stored in a registry entry. When all the folders are obtained, it then traverses the specific registry entry. If the folder name contains the following strings, it terminates all executable files running in the folders: cafee Kasper panda secure sopho syman trend viru

If you would like to scan your computer for WORM_ZAFI.D or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_ZAFI.D is detected and cleaned by Trend Micro pattern file #2.297.00 and above.