Zafi Worm Spreading like wildfire

Over 1 in 10 emails on the internet at present are infected with the Zafi.d worm.

It is using the old trick of posing as a XMAS message.

W32/Zafi-D is a peer to peer worm, it copies itself to the Windows system folder with the filename Norton Update.exe, creates a number of files in the Windows system folder with filenames consisting of 8 random characters and a DLL extension. Some of these are exact or zipped copies of the worm, detected as W32/Zafi-D, while others are log files created by the worm.

It then harvests email addresses from the Windows Address Book and from files found on the hard drive, copies itself to folders with names containing share, upload, or music as ICQ 2005a new!.exe or winamp 5.7 new!.exe.

Removal tools
GUI version
Command Line Version

Published Thursday, December 16, 2004 10:46 AM by Mark Dormer
Filed under: