Dmac Blog

Nothing says “Merry Christmas” like a new variation of the Zafi worm. This worm does spread via emails. Infected emails have subject lines such as ‘FW: Merry Christmas’, ‘Happy HollyDays!’ and ‘Feliz Navidad!’. Embedded inside each email is a crude animated GIF graphic of two ’smiley’ faces. The attachment name is made up of the word “postcard” in the respective language, random numbers and the extension .pif, .cmd, .bat, or .com. Windows users who open the attached file get infected.

Zafi-D collects email addresses from infected machines and uses its own SMTP engine P2P networks to spread. It attempts to shutdown firewall and anti-virus applications on infected machines. Other Windows components will also be disabled like Task Manager and Registry Editor. Even worse, Zafi-D creates a back door on port 8181 so that Crackers can upload and execute files.

So do me a favor this Holliday Season, don’t be gullible.