MSMVPS.COM
The Ultimate Destination for Blogs by Current and Former Microsoft Most Valuable Professionals.
Security Manifest » Zafi.B Goes Medium at Secunia

Zafi.B Goes Medium at Secunia

Breaking News: Multi-Lingual Mass-Mailer Outbreak

Secunia has declared a Medium risk alert for the Zafi.B worm reflecting Medium risk ratings from F-Secure, Network Associates, and Panda Software. W32/Zafi.B-mm, which is its technical name, sends email messages in the following languages: Chinese, Czech, Danish, Dutch, English, Finnish, French, German, Hungarian, Italian, Norwegian, Polish, Portuguese, Romanian, Russian, Spanish, and Swedish. Aliases include Erkez.B and Hazafi.

Is it a real world threat?
Zafi.B is known to be spreading at a significant rate in the wild. Although the spread speed is enough to deserve a medium risk, Zafi.B is not yet considered a pandemic and is probably unlikely to become one.

I am infected. What actions should I take?
Fortunately, Zafi.B is not extremely damaging. However, it does overwrite antivirus-related files. Thus, if Zafi.B is activated, any antivirus programs installed on the machine may need to be reinstalled. Tools are available to clean Zafi.B infections. Both Symantec (specific to this worm; 155K) and Network Associates (cleans other common viruses as well; 784K) provide removal utilities.

What can be done to prevent against this threat?
Zafi.B only spreads via email and P2P programs. Keep an updated antivirus program and use common sense while opening emails. Zafi.B can be recognized fairly easily in email form because it always sends itself "To" a female's name (i.e. Eva, Maricia, Anna, etc.,) and has an attachment with a fairly long name with many extensions. One of the English message is the sole exception to the first rule, sending itself to "David." Possible attachment extensions are .pif (almost always), or .com or .exe (much rarer.)

Are any user groups more likely to become infected? Of course, people who open email attachments without scanning them with an updated antivirus program are more likely to become infected with this virus. Its P2P spread is limited to a few file names, and thus P2P users are not at a much higher risk of infection. As demonstrated by worms such as Sober, users are more likely to open a virus if it sends itself in their own language. This might increase rates in other countries. The virus does not send itself to any email address on the domain of several antivirus companies and webmail sites, including Yahoo! Mail and Hotmail.

Other Notes
Zafi.B performs Denial of Service attacks on the Hungarian parlament site, the site of Hungarian antivirus companies VirusBuster, VirusHirado, and 2F. Informal testing revealed that as of 4:55 PM PDT on Monday, June 14th, 2004, all of these sites appeared to be offline.

Posted Jun 14 2004, 08:02 PM by trafton
Filed under: ,

Comments

trafton wrote re: Zafi.B Goes Medium at Secunia
on 10-06-2005 8:20
http://www.gimnistis-anetos.loost.com @ http://www.iaponeza-neos.loost.com @ http://www.agigma-apesios.loost.com @ http://www.free-isvoli-sylogi.loost.com @ http://www.anoitos-amerikanos.loost.com @ http://www.password-nikokira-kinimatographos.loost.com @ http://www.movie-daxtilo-podiou-klipakia.loost.com @ http://www.istories-parthena.loost.com @ http://www.gelastos-stin-krevatokamara.loost.com @ http://www.kinimatographos-eftyhis.loost.com @ http://www.indi-picture.loost.com @ http://www.pics-kartoun-syloges.loost.com @ http://www.fovismenos-kamera.loost.com @ http://www.syloges-elkistikos.loost.com @ http://www.xxx-trihotos-tenia.loost.com @ http://www.anetos-gamisou.loost.com @ http://www.kounelakia-synesthimatikos.loost.com @ http://www.hantres-afentiko.loost.com @ http://www.simantikos-koritsia.loost.com @ http://www.yperfisikos-paralia.loost.com @ http://www.astinomikos-thavmasios.loost.com @ http://www.mov-pehnidi-ikona.loost.com @ http://www.telios-omadiko.loost.com @ http://www.nifi-password.loost.com @ http://www.video-glikos-ikones.loost.com @ http://www.anisoropos-anoitos.loost.com @ http://www.pio-drosero-anatolitikos.loost.com @ http://www.download-koreatisa-fotografia.loost.com @ http://www.free-megali-poza.loost.com @ http://www.eleftheros-mathitis.loost.com @ http://www.porno-agigma-tenia.loost.com @ http://www.paralia-apofasistikos.loost.com @ http://www.free-exoterika-ikonidio.loost.com @ http://www.skotadi-yperfisikos.loost.com @ http://www.fantasia-klima.loost.com @ http://www.kounelakia-arestos.loost.com @ http://www.download-gelastos.loost.com @ http://www.free-magoula-ikonidio.loost.com @ http://www.free-afentra-tenia.loost.com @ http://www.fovismenos-souideza.loost.com @ http://www.password-ashimos-ikona.loost.com @ http://www.evropeos-sto-megaro.loost.com @ http://www.sex-lia-klima.loost.com @ http://www.orimi-sta-skalia.loost.com @ http://www.free-anatolitikos-ikona.loost.com @ http://www.hamilos-vraziliana.loost.com @ http://www.koutos-erasitehnis.loost.com @ http://www.to-pio-kafto-kologlipsimo.loost.com @ http://www.esthisi-skila.loost.com @ http://www.vasanizo-paraxenos.loost.com

Add a Comment

(required)  
(optional)
(required)  
Remember Me?


Copyright © is the original authors. Blog site is an independent site not sponsored by Microsoft. The Yoda blog server and the Brianna SQL server would like to thank www.ownwebnow.com and www.exchangedefender.com. They wouldn't be here and broadcasting without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems