Holiday Virus

[Pat]

CURRENT THREAT W32/Zafi.d@MM
Medium Risk

Current VirusScan users with DAT 4414 are protected from this threat.



What Is It?

Offering a fake holiday greeting, W32/Zafi.d@MM is a Medium Risk
mass-mailing worm that arrives as an email attachment. When run, the worm
displays a fake error message (Error in packed file!), infects the host
computer and emails itself to stolen email addresses using the infected
computer's Internet connection.

Like previous variants, the worm sends itself in different languages
depending on the recipient's address. For example, a .COM mail address
receives an English message, a .DE mail address receives German.

What should I look for?

a.. FROM: Varies (forged addresses taken from infected system)
a.. SUBJECT: Example: Fw: Merry Christmas!
a.. BODY: Example: Happy Hollydays!
a.. ATTACHMENT: Example: postcard.php8583.zip
How do I know if I've been infected?

Fake error message displayed. Alerts from a desktop firewall (if installed)
that a new application is asking for Internet access. TCP port 8181 open on
the infected system

 

[Gabriele Neukam]

On that special day, Pat, ([email protected]) said...

infects the host
computer and emails itself to stolen email addresses using the infected
computer's Internet connection.

Not only that; it shuts down processes which have names that contain
"...virus..." or "...firewall...", grabs the msconfig, regedit, and
taskman programs exclusively, so that you can't reacxh them any more,
and opens a backdoor at port 8181, waiting for commands to download and
install more backdoor programs.

A full featured RAT-worm.

Take care,


Gabriele Neukam

(e-mail address removed)