Hi,


Santa You too ........

Security firms are warning about a Windows virus disguising itself as an electronic Christmas card.

The Zafi.D virus translates the Christmas greeting on its subject line into the language of the person receiving infected e-mail.

Anti-virus firms speculate that this multilingual ability is helping the malicious program spread widely online.

Anti-virus firm Sophos said that 10% of the e-mail currently on the net was infected with the Zafi virus.

International threat

Like many other Windows viruses, Zafi-D plunders Microsoft Outlook for e-mail addresses and then uses mail-sending software to despatch itself across the web to new victims.

To be infected users must open up the attachment travelling with the message which bears the code for the malicious bug.

The attachment on the e-mail poses as an electronic Christmas card but anyone opening it will simply get a crude image of two smiley faces.

The virus' subject line says "Merry Christmas" and translates this into one of 15 languages depending of the final suffix of the e-mail address the infected message has been sent to.

The message in the body of the e-mail reads: "Happy Holidays" and this too is translated.

On infected machines the virus tries to disable anti-virus and firewall software and opens up a backdoor on the PC to hand over control to the writer of the virus.

The virus is thought to have spread most widely in South America, Italy, Spain, Bulgaria and Hungary.

The original Zafi virus appeared in April this year.

"We have seen these hoaxes for several Christmases already, and personally I prefer traditional pen and paper cards, and we recommend this to all our clients too," said Mikko Hypponen, who heads F-Secure's anti-virus team.


ZAFI-D SUBJECT LINES
  • boldog karacsony...
  • Feliz Navidad!
  • Weihnachten card
  • Prettige Kerstdagen
  • Christmas pohlednice
  • Joyeux Noel!
  • Buon Natale!
  • Christmas Vykort!

This new variant contains the following characteristics:

* contains its own SMTP engine to construct outgoing messages
* spoofs the From: address
* harvests target email addresses from the victim machine
* outgoing email message body is either in Hungarian or English
* displays p2p worm behaviour
* shuts down security services

Mail Propagation

The worm can send itself as an attachment in email with any of the following extensions: ZIP, CMD, PIF, BAT or COM.

The worm avoids sending itself to certain email addresses, those containing any of the following strings:

* yaho
* google
* win
* use
* info
* help
* admi
* webm
* micro
* msn
* hotm
* suppor
* syman
* viru
* trend
* secur
* panda
* cafee
* sopho
* kasper

The body of the email sent by the worm are in the form of Christmas greetings. Like previous variants, the worm sends itself out in different languages depending on the Top Level Domain (TLD) of the recipient's address. For example, a user with a .COM mail address, will receive the English mail body, while someone with an .DE Mail address will receive the German body.
Source
Trend Micro



--Good Luck--