WORM_ZAFI.D is a memory-resident, mass-mailing worm that is currently spreading in-the-wild. On December 14 Trend Micro declared a Yellow Alert to control the spread of this worm. It uses its own built-in Simple Mail Transfer Protocol (SMTP) engine to send malicious Christmas greetings. It runs on Windows 98, ME, NT, 2000, and XP.
Upon execution, this mass-mailing, memory-resident worm displays a message box. It drops a copy of itself as NORTON UPDATE.EXE, and drops copies of itself as .DLL files with 8-character random file names. Some .DLL files are copies of itself while others are email log files in the Windows system folder. It also drops a log file called S.CM in the root folder. It then adds a registry entry that allows it to automatically execute at every system startup.
This worm drops a copy of itself using either of the following filenames:
WINAMP 5.7 NEW!.EXE
ICQ 2005A NEW!.EXE
It drops the file in folders that contain one of the following strings:
Most file-sharing applications, such as KaZaA, Shareaza, and Morpheus, use folder names with these strings when sharing files through peer-to-peer (P2P) networks. P2P users who search for Winamp and ICQ installers may inadvertently download this dropped ZAFI copy instead.
This worm uses its own built-in Simple Mail Tranfer Protocol (SMTP) engine, which allows it to send malicious Christmas greetings without having to use other email applications like Outlook Express. The language used in the message body is dependent on the domain of the email recipient. For example, When the Top Level Domain of the user's email address is .COM, the message is sent in English. When the Top Level Domain of the user's email address is .DE, the message is sent in German. Please visit the Technical Details of this virus description to view samples and screenshots of the email it sends.