Want CNET to notify you of price drops and the latest stories?

Zafi worm purports to be Christmas greeting

As of mid-morning Tuesday, MessageLabs had intercepted over 25,000 copies of the virus.

Matt Hines Staff Writer, CNET News.com
Matt Hines
covers business software, with a particular focus on enterprise applications.
Matt Hines
3 min read
A new variant of the so-called Zafi worm surfaced Tuesday, disguised to appear as a Christmas greeting.

Multiple antivirus researchers reported the emergence of the latest iteration of Zafi, classified as W32/Zafi.D. Security software companies including McAfee and MessageLabs issued warnings detailing that the worm is being hidden in e-mails that advertise themselves as holiday greetings.

According to MessageLabs, Zafi.D is already being attached to bulk e-mails using a variety of file names and extensions. By mid-morning Tuesday, the company said, it had intercepted over 25,000 copies of the virus.

Vincent Gullotto, vice president of McAfee's Anti-virus and Vulnerability Emergency Response Team, or AVERT, said that the worm was likely of greatest threat to home users, as corporate IT managers have been protecting against earlier versions of Zafi. He said that the new version of the virus is not that different from the previous Zafi strains, making it easier for companies to take precautions.

"I suspect that while it generated a medium risk today, within the next 48 hours we probably won't hear much about it. It won't be that successful" because people have experience with other Zafi variants, Gullotto said. "This is the fourth variant in the Zafi family, and only one (of the strains) has been moderately successful."

The security expert observed that since the virus is most frequently attached to e-mail as a .php file, it will have a smaller impact, since most companies already have software in place to block the opening of such files. He said the greater threat is for home-based Web users, who may be less diligent in updating their antivirus software.

"Most at risk are home users who think that it's a Christmas card from somebody that they know...although it's actually from the virus sending it from a spoofed e-mail address," Gullotto said.

However, Gullotto indicated that in eight years of actively following virus outbreaks, he has not seen any that has successfully used an event such as a holiday to spread itself rapidly. He said that phishing attacks and other forms of online fraud that are based on the holiday season may be more successful, but McAfee has yet to identify any attacks along those lines this year.

The first variant of the Zafi worm was discovered in April, and the worm has evolved a great deal since then. Zafi.A tried only to send itself to e-mail addresses inside Hungary. It did not contain a destructive payload. Two months later, Zafi.B was released, and this variant was able to terminate antivirus and firewall applications and "speak" in numerous languages, including English, Russian, Spanish and Swedish.

A previous variant of the virus, Zafi.C, discovered in late October, was programmed to launch distributed denial-of-service attacks on Google, Microsoft and the Web site of the Hungarian Prime Minister. Once active, the Zafi.C version scanned an infected computer's Windows Address Book and hard drive for e-mail addresses. The worm attempted to spread by composing e-mails using a complex set of rules and sending them out with its built-in SMTP engine.

Researchers had not yet identified which sites may be targeted by the latest virus.