Thursday, December 16, 2004

Zafi Virus Strikes Millions Of Computers World wide

What is it?

Offering a fake holiday greeting, W32/Zafi.d@MM is a Medium Risk mass-mailing worm that arrives as an email attachment. When run, the worm displays a fake error message (Error in packed file!), infects the host computer and emails itself to stolen email addresses using the infected computer's Internet connection.

Like previous variants, the worm sends itself in different languages depending on the recipient's address. For example, a .COM mail address receives an English message, a .DE mail address receives German.

Note: To fortify your anti-virus defense against threats like W32/Zafi.d@MM that need Internet access to spread, we recommend installing McAfee Personal Firewall Plus.

What should I look for?
FROM: Varies (forged addresses taken from infected system)
SUBJECT: Example: Fw: Merry Christmas!
BODY: Example: Happy Hollydays!
ATTACHMENT: Example: postcard.php8583.zip

How do I know if I've been infected?
Fake error message displayed. Alerts from a desktop firewall (if installed) that a new application is asking for Internet access. TCP port 8181 open on the infected system.

How do I find out more?
View details about W32/Zafi.d@MM here.

Current Threat
W32/Zafi.d@MMMedium Risk Current VirusScan users with DAT 4414 are protected from this threat. FreeScan checks for W32/Zafi.d@MM.

Install the Latest Protection
Current Subscribers
1. Connect to the Internet.2. Right-click the icon in your system
tray.3. Click Updates. Note: We recommend setting your service to Automatic Update.

VirusScan 8.x Owners
Renew your current DAT subscription.VirusScan 7.x or prior Retail Product Owners
Visit our Upgrade Center to order new VirusScan 2005. New Users

Download new McAfee VirusScan now for year-round PC protection from the latest viruses and worms.
Or try it free for 15 days.

Find free antivirus solutions and free online virus scans at Spam Virus Help

ORANGE ALERT: Three variants of the Atak worm join Zafi.D in wishing users a "Merry Christmas"

Virus Alerts, by Panda Software (http://www.pandasoftware.com)

MADRID, December 15, 2004 - PandaLabs has detected the appearance of variants H, I and J of the Atak worm, which spread in messages that pass themselves off as Christmas greetings.

These are similar to the Zafi.D worm, which appeared yesterday and also uses the same type of social engineering technique to spread.

The new variants of the Atak worm are very similar to one another; only differing in aspects like the size of the file attached to infected email messages.

However, due to a programming error, Atak.J cannot send itself out.

Panda Software clients who already have the new TruPrevent Technologies installed have been protected against all of these malicious code since they first emerged, as these preventive technologies have been able to detect and block them without needing to be able to identify them first.

(more information about the new TruPrevent Technologies at http://www.pandasoftware.com/truprevent).

The new variants of Atak reach computers in email messages with the subject Merry X-Mas! or Happy New Year! and the message text Happy New year and wish you good luck on next year! or Mery Chrismas & Happy New Year! 2005 will be the beginning!

What's more, the address of the sender of the messages is spoofed, as they use the addresses they collect from other infected computers.

The attachment is always compressed in zip and contains a file that could be called bat, com, pif or scr. If the user runs this file, the worms create copies of themselves in the Windows system directory under the name dec25.exe.

At the same time, they use their own SMTP engine to send themselves out to all the addresses they find in files with certain extensions stored on the affected computer.

"We are witnessing an attempted -we don't know if it is organized or not-, to saturate users' inboxes with a huge number of virus infected Christmas greetings.

This is obviously a significant threat to computers that are not properly protected, as the probability of being hit by one of these new malicious code is very high, especially considering that at this time of the year, it is not unusual to receive a large amount of emails of this kind.

However, it is also possible that, over the next few hours, other viruses that use the same technique will appear.

For this reason, it is highly recommendable to take precautions when opening email messages," explains Luis Corrons, head of PandaLabs.

The Zafi.D worm, which spreads in a message with the text Happy holidays! written in the language of the recipient of the email, is still spreading around the globe and causing incidents in users' computers.

In fact, it has been the virus most frequently detected by the free online antivirus Panda ActiveScan for a few hours now.

What's more, the difference between the percentage of detections of this worm and the second malicious code in the ranking is growing.

To prevent Zafi.D from reaching epidemic levels, Panda Software has released its free PQREMOVE utility, which detects and eliminates Zafi.D from all the computers it may have infected. This tool can be downloaded from: http://www.pandasoftware.com/download/utilities.

Due to the high possibility of being infected by Zafi.D or the new variants of Atak, Panda Software advises users to take precautions with any email messages they receive and to update their antivirus software.

Panda Software has made the corresponding updates available to its clients to detect and disinfect these new malicious code.Panda Software's clients can already access the updates for installing the new TruPrevent Technologies along with their antivirus protection, providing a preventive layer of protection against these and other new malicious code.

For users with a different antivirus program installed, Panda TruPrevent Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection.

More information about TruPrevent Technologies at http://www.pandasoftware.com/truprevent

In addition, users can scan their computers online for free with Panda ActiveScan, available at http://www.pandasoftware.com/

For further information about the Atak and Zafi.D worms, visit Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia

ORANGE ALERT: Zafi.D is spreading rapidly and is already the virus most frequently detected by Panda ActiveScan

- Virus Alerts, by Panda Software (http://www.pandasoftware.com)

MADRID, December 15, 2004 - According to data gathered by the free online antivirus Panda ActiveScan, the Zafi.D worm, which appeared just yesterday, is already the most frequently detected virus around the globe, mainly in South America and Europe, where the most affected countries are Italy, Spain, Bulgaria and Hungary.

This worm spreads in a file attached to email messages containing the text Happy holidays! As we are in the run up to Christmas, users are sending millions of greetings via email, which is helping Zafi.D to spread widely and rapidly.

To prevent this worm from continuing to spread, especially through computers that do not have adequate anti-malware protection installed, Panda Software has released its free PQREMOVE utility, which detects and eliminates Zafi.D from all the computers it may have infected.

This tool can be downloaded from: http://www.pandasoftware.com/download/utilities.

Zafi.D is a multi-lingual worm, as it can adapt the language of the message to the domain of the email address it is being sent to, for example, a German-speaking user will receive the message in German. This significantly increases the capacity of this worm to spread.

"Zafi.D is a typical example of a worm that takes advantage of important dates to spread as widely as possible. This has happened in the past, and therefore, we were not surprised when it emerged. However, Zafi.D uses social engineering effectively, above all in adapting the message to the recipient's language, who will not be surprised to receive Christmas greetings from companies, family and friends which include an animation," explains Luis Corrons, head of PandaLabs.

What's more, Zafi.D can be used to gain control of affected computers, as it opens a backdoor in affected computers through a communications port. This allows an attacker to connect to the port and gain remote control of the affected computer.

Due to the high possibility of being infected by Zafi.D, Panda Software advises users to take precautions with any email messages they receive and to update their antivirus software.

Panda Software has made the corresponding updates available to its clients to detect and disinfect this new malicious code.Panda Software clients who already have the new TruPrevent Technologies installed have been protected since the worm first emerged, as these preventive technologies have been able to detect and block

Zafi.D without needing to be able to identify it first (more information about the new TruPrevent Technologies at http://www.pandasoftware.com/truprevent).

Users can scan their computers online for free with Panda ActiveScan, available at http://www.pandasoftware.com/For further information about Zafi.D, visit Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=56161