Zafi.B worm threat upgraded

A new variant of the Zafi e-mail worm, first found in the wild last Friday, has been upgraded to radar level two alert.

The Zafi.B worm comes in a host of European languages, and can shut down a PC’s anti-virus (AV) program, says F-Secure product manager Mikael Albrecht. “This worm is tricky, as it has a feature that can close down firewalls and AV programs in order to help itself spread further.”

Not isn’t this wonderful! Just what we need to get the week off on the right note.

Myroff explains that Zafi.B is being sent along with a political message, much like its predecessor, Zafi.A. “It’s basically a political message against the Hungarian government, calling for the legalising of the death penalty.”

The worm then scans through all directories in the system and replicates as either ‘winamp 7.0 full_install.exe’ or ‘Total Commander 7.0 full_install.exe’ to all folders that contain ‘share’ or ‘upload’ in their name. Albrecht says it also terminates all applications that have ‘firewall’ or ‘virus’ in their filename.

While the virus poses a threat, Myroff says it is basically a “typical” worm, and should start tapering off soon. “This virus is not like a Sasser worm, it is more of your standard type. As the patches start becoming available from the vendors, which would stop it at the gateway and prevent it spreading, I’m sure the virus will start decreasing in prevalence soon.”

That’s comforting, but the difference here is that it replicates as .exe files. Can you imagine a virus that replaces the .exe file to MS Word or MS Excel? Nasty stuff.