Wednesday, June 16, 2004

There's a pretty sudden and major uptick on our mail servers - and apparently on the mail servers of others - of instances of the Zafi worm/virus attepting to propagate itself. It's particularly pervasive, and while the payload does not appear destructive, it could quickly become a cleanup nightmare, including the possibility of disabling AV software and running in its place. If ever there was a justification for a really good email antivirus product, this is one.

From Panda Software's virus encyclopedia:

Brief Description 

Zafi.B is a worm that looks for directories in which antivirus programs are installed. If successful, Zafi.B overwrites the executable files with copies of itself. By doing so, the user will be unprotected against the attack of other malware. So whenever users run the antivirus, they will be running the Zafi.B without noticing.

In addition, Zafi.B searches for certain processes, such as the Windows Registry Editor, the Task Manager, etc. If successful, Zafi.B ends them.

Zafi.B spreads via e-mail in a message with variable characterics that can be written in different languages, and through peer to peer file sharing programs (P2P).

Visible Symptoms  

Zafi.B is easy to recognize once it has affected the computer, as it attempts to open any of the web sites stored in the following path of the Windows Registry every time it is executed:

HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ TypedURLs

See:

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39333 

on CA's web site for info about the worm and how to remove.

Also see:

http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=48433 

on Panda's web site for further info.



Add/Read: Comments [0]
IT Security | Tech
Wednesday, June 16, 2004 4:57:31 PM (Pacific Standard Time, UTC-08:00)
#  
Comments are closed.