| Sales | 0208 045 4945 | 0800 458 4545 |
| Support | 0208 045 4944 | 0800 230 0032 |
| Sales | 0208 045 4945 | 0800 458 4545 |
| Support | 0208 045 4944 | 0800 230 0032 |
22 Dec 2004
Don’t be fooled by this email that bears the message “Happy Holidays” and
the subject line “Merry Christmas”, even when it appears to be from someone
you know.
Most likely, it is a worm, attached in a file that pretends to be a holiday
postcard greeting and usually arrives via email and through peer-to-peer
networks. The message may appear in different languages based on your
country’s domain.
This worm, called Zafi.d, is a variant of the Zafi worm. Zafi.d is a
mass-mailing worm that when executed, copies itself twice to the
%windir%system32 folder using a random name and .DLL extension. The worm
copies itself to directories on the C: drive containing one of the following
strings: "share", "upload" or "music".
According to TechTree, this worm sends itself out in Hungarian and English,
creates a registry key, so that infected files are executed every time an
infected computer is turned on. Zafi.d also has the ability to search for
directories of anti-virus and personal firewall software, and then overwrite
the executables with a copy of itself.
In an attempt to thwart manual identification and cleaning of an infected
machine, the worm will also attempt to terminate processes.
According to reports, the virus poses a greater threat to home users as it
is most frequently attached to email as a .php file. Home-based Web users
may be less diligent in updating their anti-virus software.
Attachments appear at 12 KB in size. Once inside the infected system, the
worm drops a copy of itself under a legitimate-sounding file name.
Source: www.bigfoot.com
