Zafi.D - High Risk at Secunia

Published Thu, Dec 16 2004 16:59

The new Zafi.D worm is spreading rapidly and has earned a high risk at security company Secunia, which combines write-ups from various vendors and assigns them a risk.

Zafi.D was discovered on Tuesday, and has since then maintained a relatively steady spread rate, which has since declined slightly. Antivirus company Sophos, according to BBC News (WARNING: mildly offensive smilies within), estimates that at its peak spread Tuesday evening, the worm was in 10% of all emails sent.

One of the most notable features of Zafi.D is its multilingual abilities. This has allowed other worms to spread more significantly. Language is one of the more interesting aspects of virus spread: it allowed the Japanese worm FBound.C to become a worldwide outbreak with huge spread in western Europe, Canada, and the United States in March 2002 after curious people opened the attachment to the worm, which appeared as junk text to them. This also allowed the Mexican worm Mapson to become prevalent in the summer of 2003 among Hotmail users, especially in communities with both Spanish and English speakers.

Perhaps more likely to facilitate in the spread is the image of two smiley faces copulating between the words “Happy Hollydays [sic].” Contrary to what it should do (be a red flag that something is up), childishly semi-offensive imagery like this simply increases the chances that the worm will spread more. The Christmas theme only adds to this.

Once it gets onto your machine, Zafi.D is a fairly standard, not incredibly damaging worm. Like most worms of this day, it contains its own mailing server to spread itself and harvests email addresses from the host machine in the usual way (searching through files on the machine). Also featured are the now-standard P2P spreading capabilities and the equally common ability to shut down security programs.

I have received conflicting reports about the language abilities of Zafi.D; one report says that “outgoing email message bodies are either in English or Hungarian“ while another gives an example of the outgoing message body being in German. Despite the minor successes of local Hungarian worms like Magold, it is doubtful that adding Hungarian message bodies to the worm would increase its spread all that significantly from just using English.

The December month is typically breeding ground for holiday-related worms, such as Navidad, which appeared in November 2000 and became a major problem the month after, and the Ska (Happy99) worm, which offered a greeting for the 1999 New Years, and inexplicably remained one of the most common worms through 2001.

The moral of the story is, as usual, avoid opening Christmas cards from friends you never knew you had, or for that matter friends who probably would not be sending you Christmas cards in some weird sort of sub-English. And, of course, that any attachment, no matter who it is from, should be regarded with extreme suspicion.

Happy holidays, everyone, and please do be safe. :)

Resources for Zafi.D
McAfeeHelp.com - My fellow MVPs Harry Waldron and Jurren Bouman have here compiled a list of many known write-ups for Zafi.D, as well as news stories. An excellent portal to information for this threat.

by trafton
Filed under: , ,