Bah Humbug Virus

By | December 16, 2004

Apparently virus writers don´t like Christmas very much. An email worm posing as a Christmas greeting began spreading early yesterday. Zafi-D arrives with an infected attachment – often written in a variety of languages such as English, Spanish and Russian – though virus firms believe it was created in Hungary.

Typically, the infected emails have subject lines such as ´FW: Merry Christmas´, ´Happy HollyDays!´ and ´Feliz Navidad!´. Embedded inside each email is a crude animated GIF graphic of two ´smiley´ faces. The attachment name is made up of the word “postcard” in the respective language, random numbers and the extension .pif, .cmd, .bat, or. com. Windows users who open the attached file get infected.

The virus then harvests email addresses from compromised machines and uses its own SMTP engine to spread. It also attempts to spread through P2P networks. It attempts to terminate firewall and anti-virus apps on infected machines. Several Windows tools, like Task Manager and Registry Editor, are disabled when the worm is active. Even worse, Zafi-D has also a back door that listens on port 8181. Crackers can upload and execute files using this backdoor, which turns infected machines into zombies.

Users are being advised – as always – to avoid opening unsolicited emails, even when they come from people they trust. In addition, keeping anti virus software up to date is key.

Leave a Reply