Results 1 to 7 of 7

Thread: Virus poses as Christmas e-mail (Zafi.D)

  1. #1
    AntiOnline n00b
    Join Date
    Feb 2004

    Virus poses as Christmas e-mail (Zafi.D)


    Santa You too ........

    Security firms are warning about a Windows virus disguising itself as an electronic Christmas card.

    The Zafi.D virus translates the Christmas greeting on its subject line into the language of the person receiving infected e-mail.

    Anti-virus firms speculate that this multilingual ability is helping the malicious program spread widely online.

    Anti-virus firm Sophos said that 10% of the e-mail currently on the net was infected with the Zafi virus.

    International threat

    Like many other Windows viruses, Zafi-D plunders Microsoft Outlook for e-mail addresses and then uses mail-sending software to despatch itself across the web to new victims.

    To be infected users must open up the attachment travelling with the message which bears the code for the malicious bug.

    The attachment on the e-mail poses as an electronic Christmas card but anyone opening it will simply get a crude image of two smiley faces.

    The virus' subject line says "Merry Christmas" and translates this into one of 15 languages depending of the final suffix of the e-mail address the infected message has been sent to.

    The message in the body of the e-mail reads: "Happy Holidays" and this too is translated.

    On infected machines the virus tries to disable anti-virus and firewall software and opens up a backdoor on the PC to hand over control to the writer of the virus.

    The virus is thought to have spread most widely in South America, Italy, Spain, Bulgaria and Hungary.

    The original Zafi virus appeared in April this year.

    "We have seen these hoaxes for several Christmases already, and personally I prefer traditional pen and paper cards, and we recommend this to all our clients too," said Mikko Hypponen, who heads F-Secure's anti-virus team.

    • boldog karacsony...
    • Feliz Navidad!
    • Weihnachten card
    • Prettige Kerstdagen
    • Christmas pohlednice
    • Joyeux Noel!
    • Buon Natale!
    • Christmas Vykort!

    This new variant contains the following characteristics:

    * contains its own SMTP engine to construct outgoing messages
    * spoofs the From: address
    * harvests target email addresses from the victim machine
    * outgoing email message body is either in Hungarian or English
    * displays p2p worm behaviour
    * shuts down security services

    Mail Propagation

    The worm can send itself as an attachment in email with any of the following extensions: ZIP, CMD, PIF, BAT or COM.

    The worm avoids sending itself to certain email addresses, those containing any of the following strings:

    * yaho
    * google
    * win
    * use
    * info
    * help
    * admi
    * webm
    * micro
    * msn
    * hotm
    * suppor
    * syman
    * viru
    * trend
    * secur
    * panda
    * cafee
    * sopho
    * kasper

    The body of the email sent by the worm are in the form of Christmas greetings. Like previous variants, the worm sends itself out in different languages depending on the Top Level Domain (TLD) of the recipient's address. For example, a user with a .COM mail address, will receive the English mail body, while someone with an .DE Mail address will receive the German body.
    Trend Micro

    --Good Luck--

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Hopefully people get AV for Christmas before they get the e-mail.

    Symantec has it up to a 3. http://www.symantec.com/avcenter/ven...rkez.d@mm.html
    \"You got a mouth like an outboard motor..all the time putt putt putt\" - Foghorn Leghorn

  3. #3
    Senior Member
    Join Date
    Jul 2003
    I guess this is a virus-old ruse and this year should be no surprise. Some semi-aware computer users know to be suspicious of e-mail coming from unkown sources and they can usually easily spot spam in their inbox. However they can get fooled by such a ploy because it simply appeals to them.

    It's all in the marketing!

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Ahhh.... yes... The annual christmas greetings from our friends the malware authors.... Every year same greeting different malware.... You'd think people would be getting sensitized by now.... Naaahhh, silly me... The last time they got infected was a whole year ago.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington

    You can neg me out on this one guys............not only was it an attachment...........I stole it from a fellow AOer

    It is going down very well in .gov, .mil, and .edu circles...............well one has to keep that lot doing something useful (MsM will now neg me, as will all the current and former forces types )

    Years ago I did something really bad........................OK it involved a case of Michelob or two.........the United States Air Force, and some guys with a great sense of humour (humor?)............

    My "Application form for the position of test pilot in a cruise missile squadron", went down really well, but produced a purely unintentional (honest!) DoS attack..........as everyone sent it to everyone else

    Ack phtt

  6. #6
    Join Date
    Apr 2003
    Well, I pass around the April Fools Internet Cleanup Day thing, near that time of year, to a few select system admins. Just to get the reaction. Then I remind them that it is a joke. Works every time. Go figure.

    BTW, nihil, when do you sleep?

  7. #7
    AntiOnline n00b
    Join Date
    Feb 2004

    okey bartender pass me whatever that Guy is drinking will ya ...............that one over ther wearing a Santa suit

    Well someone is in Christmas mood already .............With all that Singing and dancing on that Cute little bear

    Well Merry Christmas ....................Keep your AV updated and don't open Suspecios looking E-mail's .......................even if it says straight from Mr Santa Himself ..

    --Good Luck--

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts