Latest Zafi worm spreading in the wild as email Christmas greeting, Sophos reports

December 14, 2004 Sophos Press Release

Zafi-D is nothing to smile about, as mass-mailing virus spreads Christmas fear rather than cheer..

An enlarged version of the smiley faces animated graphic used by the Zafi-D worm
The Zafi-D worm can embed an animated image of two "smileys" into its malicious emails.

Anti-virus experts at Sophos have detected a new in-the-wild email worm which is spreading via email disguised as a Christmas greeting.

The W32/Zafi-D worm, which is believed to have been written in Hungary, spreads an attached file inside emails offering seasonal greetings to the recipient. The emails can use a variety of different languages including English, French, Spanish and Hungarian.

Emails can contain messages as "FW: Merry Christmas", "Joyeux Noel!" and "Feliz Navidad!". Embedded inside the email is a crude animated GIF graphic of two "smiley" faces.

If the attached viral file is launched, the Zafi-D worm displays an error message ("CRC: 04F6Bh Error in packed file!") in an attempt to fool the user that it was simply a program that has failed to work properly rather than a disguise for virus infection.

A typical message sent by the W32/Zafi-D worm
A typical message sent by the W32/Zafi-D worm

"Despite its disguise, Zafi-D isn't much of a Christmas present. Users who open the attached file will trigger the virus into action, infecting their PC and potentially opening it up to hacker attack," said Graham Cluley, senior technology consultant for Sophos. "Heartless hackers and virus writers can attack at any time of year, and every computer user should be on the lookout for unusual emails and be wary of ever opening any unsolicited file they are sent via email."

Sophos advises companies to be as suspicious during the holiday season as they would be at any other time of the year.

"Having a business environment where it's seen to be acceptable to send and receive joke programs, screensavers, and electronic greetings cards increases the risk of virus infection at any time - but can prove particularly risky during the holiday season," continued Cluley. "When your computer data is at risk it may be wiser to avoid electronic wellwishing, and use paper and ink instead."

Sophos recommends companies protect their email gateways with a consolidated solution to thwart the virus and spam threats as well as secure their desktop and servers with automatically updated anti-virus protection.

Other versions of the Zafi worm have successfully spread in the wild:

W32/Zafi-C 
Attacked the website of the newly appointed Hungarian Prime Minister.

W32/Zafi-B 
Calls for the introduction of the death penalty in Hungary.

W32/Zafi-A 
Displays a message calling for Hungarian patriotism, timed to coincide with the country joining the European Union.