Results 1 to 2 of 2

Thread: Internet worm disguises itself as e-Christmas card

  1. #1
    Senior Member Max's Avatar
    Join Date
    Jul 2001
    Location
    Montreal,Province of Quebec, CANADA
    Posts
    15,036

    Internet worm disguises itself as e-Christmas card

    Internet worm disguises itself as e-Christmas card
    Last Updated Tue, 14 Dec 2004 18:40:28 EST
    HELSINKI - Internet security experts are warning about a mass-mailing worm with the subject line "Merry Christmas" or "Happy Holidays."

    The worm, called W32/Zafi.d@MM or Zafi.d., appears to be an electronic greeting card from someone the recipient knows.


    Worm exploits interest in electronic Christmas cards.
    Two computer security firms, McAfee Inc. and Trend Micro, raised their risk assessments for the worm to medium on Tuesday.

    Zafi.d spreads itself using e-mail lists on contaminated computers.

    Written by CBC News Online staff

    http://www.cbc.ca/story/science/nati...orm041214.html



    http://stores.ebay.com/MAKSYM-Variety-Store

    [This message was edited by Paul Nussbaum on 12-15-04 at 07:30 PM.]

  2. #2
    I got a warning about this worm today from a-squared, a malware detector, so thought I'd post it.

    The warning:


    "Warning! Worm.Win32.Zafi.D!

    The 4. variant of the Zafi worm is spreading since yesterday. Worm.Win32.Zafi.D has a size of 11,745 bytes and is packed with FSG. It spreads via email as a christmas greeting and also via file sharing networks. In addition to the spreading mechanism Worm.Win32.Zafi.D installs a Backdoor on the computer which enables remote administration of the machine.

    A more detailed description of the worm can be found at the a² Malware Database:
    http://www.emsisoft.com/en/malware/?Worm.Win32.Zafi.D

    Zafi.D can be detected and removed with a² Free and a² Personal with the latest signature updates. The latest versiona² Personal background guard will block the worm if it is started. Please run the a² Online-Update immediately and ensure that the new automatic update feature in a² Personal is enabled.

    Sincerely yours,

    Your a² Team"\


    The details:

    "a² Malware-Info: Worm.Win32.Zafi.D
    General
    Worm.Win32.Zafi.d is a worm that spreads using filesharing tools and emails. The worm is compressed using FSG and has a size of 11,745 bytes.

    As soon as Worm.Win32.Zafi.D was started it copies itself to the Windows System directory using the file name "Norton Update.exe". To ensure its startup on every reboot of the computer it uses the following registry key:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "Wxp4"="%system%\Norton Update.exe"

    The worm creates several other files with packed copies of it self or with components the worm uses. These files are:

    %system%\ .DLL
    C:\s.cm

    Spreading

    Worm.Win32.Zafi.D searches for files that extensions contain one of the following strings to extract mail addresses from them:

    htm
    wab
    txt
    dbx
    tbb
    asp
    php
    sht
    adb
    mbx
    eml
    pmr
    fpt
    inb

    Email addresses containing one of the following strings will be ignored:

    yaho
    google
    win
    use
    info
    help
    admi
    webm
    micro
    msn
    hotm"

    Can't stop the spirits when they need you/This life is more than just a read thru.-
    red Hot Chili Peppers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •