Press Releases

Browse our press release archive

28 Oct 2004

Son of Zafi email worm attacks Hungarian Prime Minister, Sophos reports on virus with a political agenda

Ferenc Gyurcsany
The Zafi-C worm launches a denial of service attack against the Hungarian Prime Minister's website.

Anti-virus experts at Sophos have detected a new email worm which attempts to knock the website of the newly appointed Hungarian Prime Minister off the internet.

The W32/Zafi-C worm spreads via email using subjects lines such as "Re: Hey buddy!" and "Re: very sick little girl!" in an attempt to lure users into launching its malicious attachment.

If users run the attached file, it can launch a distributed denial of service attack against the website of the Prime Minister of Hungary. Sophos believes the virus may have been motivated by the millionaire businessman Ferenc Gyurcsany forming a government in Hungary earlier this month. The worm can also attack the websites of Google and Microsoft.

The Zafi-C worm uses a variety of social engineering tricks to try and pique the interest of recipients, and encourage them to click on the dangerous attachment. The messages included in the emails sent by the virus take a number of disguises including:

Please, send forward this letter, and you can give a little hope to a very sick little girl, who is dying in the hospital, in 2004. Please read the full story, and send forward!!
(xxxx)

Your lover is waiting for you tomorrow, so please hurry,hurry because..
(xxxx)

Miss you baby!
Whats you doing tomorrow? I`m off, so... I thought maybe we can... Call me okay, before it`s too late...
(xxxx)

"Each new version of the Zafi worm we see has become more sophisticated and more malicious in its intent," said Graham Cluley, senior technology consultant for Sophos. "The good news is that at the moment Zafi-C is not spreading at anything like the rate of its predecessor, but companies should still ensure they are keeping their anti-virus up-to-date and practice safe computing at all times."

The previous version of the Zafi worm, Zafi-B, has continued to spread spread widely since June with a message calling for the death penalty to be introduced in Hungary.

"The Hungarian author of the Zafi worm has been very successful in the past in spreading his viruses," continued Cluley. "Hopefully computer users are becoming more suspicious of unsolicited emails and are more vigilant about protecting their PCs from attack."

Sophos recommends companies protect their email gateways with a consolidated solution to thwart the virus and spam threats as well as secure their desktop and servers with automatically updated anti-virus protection.

Other viruses which have spread a political message:

W32/Cycle-A 
Displays a message complaining about the quality of life in Iran.

W32/Zafi-B 
Calls for the introduction of the death penalty in Hungary.

W32/Zafi-A 
Displays a message calling for Hungarian patriotism, timed to coincide with the country joining the European Union.

W32/Quaters-A 
Launches a scathing attack on British Prime Minister Tony Blair and attempts to knock the Downing Street website off the internet.

W32/Colevo-A 
Redirects the web browsers of infected computers to a variety of pictures of Evo Morales, leader of the Bolivian coca leaf growers' union and runner-up in 2002's presidential elections.

W32/Vote-A 
Calls for a vote on whether America should go to war against the followers of Islam.

W32/Yaha-Q 
Apparently written in response to attacks on Indian websites, this worm not only attempts to launch a denial of service attack against five Pakistani websites, but also contains a number of inflammatory messages directed at Pakistani hackers.

W32/Yaha-E 
Launches a denial-of-service attack against a Pakistani government website.

Mawanella worm (also known as VBS/VBSWG-Z) 
Displays a message describing the burning down of two mosques and one hundred Muslim-owned shops in Mawanella, Sri Lanka.

Injustice worm (also known as VBS/Staple-A) 
Opens a number of pro-Palestinian websites and describes the alleged murder of a 12-year-old Palestinian child at the hands of Israeli soldiers. In addition, the worm spams itself to members of the Israeli government.

W32/Caric-A 
Poses as a cartoon screensaver of former US President Bill Clinton playing the saxophone. An item of female underwear emerges from the bottom of the instrument.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.