Zafi.D upgraded to Radar Level 2 (F-secure)

Hi,

Zafi.D appears to be spreading today (14th Dec) and most AV Vendors have issued updates or released beta defs.

More information at http://www.f-secure.com/v-descs/zafi_d.shtml or http://vil.mcafeesecurity.com/vil/content/v_130371.htm

Kind Regards

Jlo

 

Symantec calls it W32.Erkez.D@mm and they are currently working on it:

"Symantec Security Response is currently analyzing W32.Erkez.D@mm and will provide more details shortly. Rapid Release definitions with a sequence number of 39330 or higher provide detection for this threat."

http://securityresponse.symantec.com/avcenter/venc/data/w32.erkez.d@mm.html

 

Norman call it Nocard.a@MM but will be renaming it with the next def release.

http://www.norman.com/Virus/Virus_descriptions/19053/en-uk?show=spreading

Cheers

Jlo

 

Panda: Zafi.D
http://www.virusportal.com/com/virusinfo/encyclopedia/overview.aspx?idvirus=56161

Norman: W32/Zafi.D@mm
http://www.norman.com/Virus/Virus_descriptions/19053/en

TrendMicro: WORM_ZAFI.D
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D

Sophos: W32/Zafi-D
http://www.sophos.com/virusinfo/analyses/w32zafid.html

Computer Associates: Win32.Zafi.D
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41012

BitDefender: Win32.Zafi.D@mm
http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=314

VSAntivirus: W32/Zafi.D
Click Here for the Google Translation from Spanish

 

Just got this email alert from TrendMicro:

Dear Trend Micro customer,
As of December 14, 2004 8:13 AM PST, TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_ZAFI.D. TrendLabs has received several infection reports indicating that this malware is spreading in Germany, France and Spain.

The following is a brief overview of the worm process:

This worm spreads via email or peer-to-peer (P2P) file-sharing networks.

Here is a sample of the email:

Subject:
Re: Merry Chrsitmas!

Message body:
Happy Hollydays!

Pamela M.

Attachment:
postcard.index.php1111.pif

Note that the language of the email may change depending on the domain of the recipients.

TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy 137
Official Pattern Release 2.297.00
Damage Cleanup Template 467

For more information on WORM_ZAFI.D, you can visit our Web site at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D

 

Received:
Tuesday, December 14, 2004 9:07 AM CST GMT -06:00


NOD32.ch Newsletter, December-14-2004
----------------------------------------------------------------------
Newsletter (c) Metropolitan Network BBS Inc.


In this issue / In dieser Ausgabe:

1.) Virus Advisory: Win32/Zafi.D

[Deutsch siehe unten - Français voir dessous]

-------
ENGLISH
-------


1.) Virus Advisory: Win32/Zafi.D

A new variant of the Zafi virus/worm has been sighted in
the wild. The .D variant has again been stopped with NOD32's
Advanced Heuristics before a virus definition to identify
Zafi.D by name has been released.

A free stand-alone cleaner, courtesy Paolo Monti, is already
available for download for all those not using NOD32 yet:
http://www.nod32.ch/download/tools.stm

More information will be posted to www.nod32.ch as we get it.

-------
Deutsch
-------

1.) Virus Warnung: Win32/Zafi.D

Eine neue Variante des Zafi Virus/Wurmes verbreitet sich
derzeit. Auch diese Variante wurde von NOD32's Advanced
Heuristik gestoppt, bevor ein Update zur Identifikation
verfügbar war.

Ein Gratis-Cleaner von Paolo Monti ist bereits verfügbar:
http://www.nod32.ch/download/tools.stm


Weitere Informationen werden wir auf www.nod32.ch publizieren.

--------
Français
--------

1.) Alerte: Diffusion de Win32/Zafi.D

Une nouvelle variante de Win32/Zafi, Zafi.D est en train
de se diffuser.

Un outil gratuit de nettoyage est déjà disponible:
http://www.nod32.ch/download/tools.stm




----------------------------------------------------------------------

 

- ORANGE ALERT: The new Zafi.D worm wishes you
"happy holidays" -
Virus Alerts, by Panda Software (http://www.pandasoftware.com) ​

MADRID, December 14, 2004 - PandaLabs has detected the appearance of the new Zafi.D worm, which spreads in messages that pass themselves off as Christmas greetings, as well as through P2P (peer-to-peer) file sharing applications. As we are in the run up to Christmas, this type of social engineering could help this new malicious code to infect a large number of computers. In fact, Panda Software's international tech support network has already stated to receive reports of incidents caused by Zafi.D in a large number of countries. For this reason, users are advised to take precautions with any email messages they receive. Panda Software clients who already have the new TruPrevent Technologies installed have been protected since the worm first emerged, as these preventive technologies have been able to detect and block Zafi.D without needing to be able to identify it first (more information about the new TruPrevent Technologies at http://www.pandasoftware.com/truprevent).

Zafi.D reaches computers in an email message whose subject is a person's name selected at random and the message text Happy holidays! in the language corresponding to the domain of the email address the message is being sent to. Therefore, if the message is sent to an email address ending in .es, it will be written in Spanish, whereas if it ends with the domain .de, the text will be written in German. Similarly, these email messages contain an attached file with a variable name, selected from a long list of options.

If the user runs this file, which actually contains Zafi.D, a false error message is displayed on screen and the worm sends itself out via email, using its own SMTP engine, to all the addresses it finds in the files with certain extensions stored on the affected computer. This worm ends any processes running in memory that contain the text firewall or virus. Similarly, it prevents access to applications that contain the text reged, msconfig or task.

What's more, Zafi.D inserts several entries in the windows registry in order to ensure it is run whenever the computer is started up.

In order to spread via P2P application, Zafi.D copies itself to all the folders in the C: drive whose path contains the text share, upload or music. These names of these files are winamp 5.7 new!.exe or ICQ 2005a new!.exe.

Due to the possibility of being infected by Zafi.D, Panda Software advises users to take precautions and update their antivirus software. Panda Software has made the corresponding updates available to its clients to detect and disinfect this new malicious code.

Panda Software's clients can already access the updates for installing the new TruPrevent Technologies along with their antivirus protection, providing a preventive layer of protection against this and other new malicious code. For users with a different antivirus program installed, Panda TruPrevent Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection. More information about TruPrevent Technologies at http://www.pandasoftware.com/truprevent

In addition, users can scan their computers online for free with Panda ActiveScan, available at http://www.pandasoftware.com/

For further information about Zafi.D, visit Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=56161

 

- ORANGE ALERT: Zafi.D is spreading rapidly and is already
the virus most frequently detected by Panda ActiveScan -
Virus Alerts, by Panda Software (http://www.pandasoftware.com) ​

MADRID, December 15, 2004 - According to data gathered by the free online antivirus Panda ActiveScan, the Zafi.D worm, which appeared just yesterday, is already the most frequently detected virus around the globe, mainly in South America and Europe, where the most affected countries are Italy, Spain, Bulgaria and Hungary.

This worm spreads in a file attached to email messages containing the text Happy holidays! As we are in the run up to Christmas, users are sending millions of greetings via email, which is helping Zafi.D to spread widely and rapidly.

To prevent this worm from continuing to spread, especially through computers that do not have adequate anti-malware protection installed, Panda Software has released its free PQREMOVE utility, which detects and eliminates Zafi.D from all the computers it may have infected. This tool can be downloaded from: http://www.pandasoftware.com/download/utilities.

Zafi.D is a multi-lingual worm, as it can adapt the language of the message to the domain of the email address it is being sent to, for example, a German-speaking user will receive the message in German. This significantly increases the capacity of this worm to spread.

"Zafi.D is a typical example of a worm that takes advantage of important dates to spread as widely as possible. This has happened in the past, and therefore, we were not surprised when it emerged. However, Zafi.D uses social engineering effectively, above all in adapting the message to the recipient's language, who will not be surprised to receive Christmas greetings from companies, family and friends which include an animation," explains Luis Corrons, head of PandaLabs.

What's more, Zafi.D can be used to gain control of affected computers, as it opens a backdoor in affected computers through a communications port. This allows an attacker to connect to the port and gain remote control of the affected computer.

Due to the high possibility of being infected by Zafi.D, Panda Software advises users to take precautions with any email messages they receive and to update their antivirus software. Panda Software has made the corresponding updates available to its clients to detect and disinfect this new malicious code.

Panda Software clients who already have the new TruPrevent Technologies installed have been protected since the worm first emerged, as these preventive technologies have been able to detect and block Zafi.D without needing to be able to identify it first (more information about the new TruPrevent Technologies at http://www.pandasoftware.com/truprevent).

Users can scan their computers online for free with Panda ActiveScan, available at http://www.pandasoftware.com/

For further information about Zafi.D, visit Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=56161