PandaLabs has detected the
appearance of the new Zafi.D worm, which spreads in messages that pass
themselves off as Christmas greetings, as well as through P2P (peer-to-peer)
file sharing applications. As we are in the run up to Christmas, this type of
social engineering could help this new malicious code to infect a large number
of computers. In fact, Panda Software's international tech support network
has already stated to receive reports of incidents caused by Zafi.D in over
18 countries. Users are advised to take precautions with any email messages
they receive. Panda Software clients who already have the new TruPrevent
Technologies installed have been protected since the worm first emerged, as
these preventive technologies have been able to detect and block Zafi.D
without needing to be able to identify it first (more information about the
new TruPrevent Technologies at http://www.pandasoftware.com/truprevent).
Zafi.D reaches computers in an email message whose subject is a person's
name selected at random and the message text Happy holidays! in the language
corresponding to the domain of the email address the message is being sent to.
Therefore, if the message is sent to an email address ending in .es, it will
be written in Spanish, whereas if it ends with the domain .de, the text will
be written in German. Other languages include, Hungarian, Finnish, Russian,
Italian, Polish, Danish, Norwegian, French and Swedish.
Similarly, these email messages contain an attached file with a variable
name, selected from a long list of options.
If the user runs this file, which actually contains Zafi.D, a false error
message is displayed on screen and the worm sends itself out via email, using
its own SMTP engine, to all the addresses it finds in the files with certain
extensions stored on the affected computer. This worm ends any processes
running in memory that contain the text firewall or virus. Similarly, it
prevents access to applications that contain the text reged, msconfig or task.
What's more, Zafi.D inserts several entries in the windows registry in
order to ensure it is run whenever the computer is started up.
In order to spread via P2P application, Zafi.D copies itself to all the
folders in the C: drive whose path contains the text share, upload or music.
These names of these files are winamp 5.7 new!.exe or ICQ 2005a new!.exe.
Due to the possibility of being infected by Zafi.D, Panda Software advises
users to take precautions and update their antivirus software. Panda Software
has made the corresponding updates available to its clients to detect and
disinfect this new malicious code.
Panda Software's clients can already access the updates for installing the
new TruPrevent Technologies along with their antivirus protection, providing a
preventive layer of protection against this and other new malicious code. For
users with a different antivirus program installed, Panda TruPrevent Personal
is the perfect solution, as it is both compatible with and complements these
products, providing a second layer of preventive protection that acts while
the new virus is still being studied and the corresponding update is
incorporated into traditional antivirus programs, decreasing the risk of
infection. More information about TruPrevent Technologies at
http://www.pandasoftware.com/truprevent.
In addition, users can scan their computers online for free with Panda
ActiveScan, available at http://www.pandasoftware.com/
For further information about Zafi.D, visit Panda Software's Virus
Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=56161
About PandaLabs
On receiving a possibly infected file, Panda Software's technical staff
get straight down to work. The file is analyzed and depending on the type,
the action taken may include: disassembly, macro scanning, code analysis etc.
If the file does in fact contain a new virus, the disinfection and detection
routines are prepared and quickly distributed to users.
For more information: http://www.pandasoftware.com/virus_info/
For more information:
Alan Wallace
pr@pandasecurity.com
Tel. (818) 543-6909
