Computing & Technology

About.com

Antivirus Software

Share

Apply now to guide this site

Discuss in our forum

Zafi.D worm spreads Christmas fear

From Mary Landesman, former About.com Guide

See More About:

Updated December 14, 2004

A new variant of the Zafi worm, dubbed Zafi.D, sends itself as a Christmas greeting - in a variety of languages depending on the recipient's domain. The greeting may be received in English, Hungarian, Italian, French, or Russian (just to name a few). Regardless of the language Zafi.D sends itself as - the impact is the same. Zafi.D disables antivirus and security software and installs a backdoor on infected systems.

In English, the Zafi.D email message is composed as follows:

Subject: Merry Christmas!
Message body: Happy Hollydays!

Other language subject lines may read:

Attachment type may be one of the following: BAT CMD COM PIF or ZIP

The attachment name can vary but appears to begin with 'postcard'. For example, postcard.index.php1111.pif or postcard.php8583.zip

Zafi.D also spreads via P2P networks, by copying itself as either 'winamp 5.7 new!.exe' or 'ICQ 2005a new!.exe' to local directories containing any of the following strings in their name:

Zafi.D drops a copy of itself as 'Norton Update.exe' to the Windows System folder and modifies the system registry to load when Windows is started:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Wxp4 = "%System%\Norton Update.exe"

Note: By default, the Windows system directory is:
Windows 95/98/ME   -->  C:\Windows\System
Windows NT/2-2000 -->  C:\Winnt\System32
Windows XP              -->  C:\Windows\System32

Zafi.D attempts to shutdown various antivirus and security software and installs a backdoor on infected systems.

Related Articles

Related Searches merry christmas message zafi worm nbsp nbsp nbsp nbsp nbsp postcard index norton update attachment type

©2012 About.com. All rights reserved.

A part of The New York Times Company.