A new variant of the Zafi e-mail worm, first found in the wild last Friday, has been upgraded to radar level two alert.
The Zafi.B worm comes in a host of European languages, and can shut down a PC`s anti-virus (AV) program, says F-Secure product manager Mikael Albrecht. "This worm is tricky, as it has a feature that can close down firewalls and AV programs in order to help itself spread further."
Albrecht adds that, because the virus comes in a number of languages other than English, users are often confused and open the infected e-mail. Among the English subject lines is the subject: "eYou`ve got 1 VoiceMessage!".
Brett Myroff, CEO of local Sophos distributor Netxactics, says the new virus has become prevalent in virus reports. "In the last 24 hours, the worm has accounted for 60% of all reported virus attacks on Sophos` global virus monitoring station."
Myroff explains that Zafi.B is being sent along with a political message, much like its predecessor, Zafi.A. "It`s basically a political message against the Hungarian government, calling for the legalising of the death penalty."
Albrecht says the worm spreads by sending itself to people in the infected PC`s address book. When the worm activates, it copies itself to the Windows System Directory with a random .DLL and random .EXE name.
The worm then scans through all directories in the system and replicates as either `winamp 7.0 full_install.exe` or `Total Commander 7.0 full_install.exe` to all folders that contain `share` or `upload` in their name. Albrecht says it also terminates all applications that have `firewall` or `virus` in their filename.
While the virus poses a threat, Myroff says it is basically a "typical" worm, and should start tapering off soon. "This virus is not like a Sasser worm, it is more of your standard type. As the patches start becoming available from the vendors, which would stop it at the gateway and prevent it spreading, I`m sure the virus will start decreasing in prevalence soon."
Share