belgareth
06-16-2004, 03:11 AM
Zafi.B: Virus of Babble
Tue Jun 15, 4:31 PM ET
Erika Morphy,
www.enterprise-security-today.com
A new virus sweeping the
Internet has climbed its way to the top of the antivirus watchers' charts within a matter of days. Along with the
usual gambits to get people to open unfamiliar e-mail, the virus, called "Zafi.B," customizes its language to the
recipient's default language setting, Panda Software CTO Patrick Hinojosa told NewsFactor.
"The social-engineering tactics were really thought out
carefully, and that is why it is spreading so quickly," Hinojosa says. The virus attempts to shut down a PC's
antivirus and firewall protections before the recipient can receive an updated signature file. Also, there appears
to be a denial-of-service attack built in the virus to disable a certain Hungarian-based Web site. "This, of course,
leads one to believe the virus writer is either Hungarian or has a grudge against some of these institutions."
The language factor allows the virus to
spread around the world faster. French and German speakers, for example, seem to let their guard down more easily
with e-mail that comes to them in French or German, as opposed to English, Hinojosa says.
Medium Risk
McAfee's AVERT (Anti-virus and Vulnerability Emergency Response Team), the research division
of Network Associates (NYSE: NET - news), reports that the worm constructs messages using its own SMTP engine,
spoofing the From: address. It also attempts to propagate via P2P, by copying itself to folders on the local system
that contain "share" or "upload" in the folder name.
McAfee has raised the risk assessment to medium on Zafi.B.
Copies Itself Twice
The worm searches for e-mail addresses on the local hard disk, according to McAfee,
harvesting addresses from files with the following extensions: .htm, .wab, .txt, .dbx, .tbb, .asp, .php, .sht, .adb,
.mbx, .eml and .pmr. Harvested addresses are stored in five files in the system32 folder using random names and the
file extension .dll.
"After being executed,
Zafi.b copies itself twice to the windir system32 folder using a random name and .exe and .dll extension. The worm
copies itself to directories on the C: drive containing one of the following strings: "share" or "upload"; and uses
one of the following file names: Total Commander 7.0 full_install.exe or winamp 7.0 full_install.exe," McAfee said.
Tue Jun 15, 4:31 PM ET
Erika Morphy,
www.enterprise-security-today.com
A new virus sweeping the
Internet has climbed its way to the top of the antivirus watchers' charts within a matter of days. Along with the
usual gambits to get people to open unfamiliar e-mail, the virus, called "Zafi.B," customizes its language to the
recipient's default language setting, Panda Software CTO Patrick Hinojosa told NewsFactor.
"The social-engineering tactics were really thought out
carefully, and that is why it is spreading so quickly," Hinojosa says. The virus attempts to shut down a PC's
antivirus and firewall protections before the recipient can receive an updated signature file. Also, there appears
to be a denial-of-service attack built in the virus to disable a certain Hungarian-based Web site. "This, of course,
leads one to believe the virus writer is either Hungarian or has a grudge against some of these institutions."
The language factor allows the virus to
spread around the world faster. French and German speakers, for example, seem to let their guard down more easily
with e-mail that comes to them in French or German, as opposed to English, Hinojosa says.
Medium Risk
McAfee's AVERT (Anti-virus and Vulnerability Emergency Response Team), the research division
of Network Associates (NYSE: NET - news), reports that the worm constructs messages using its own SMTP engine,
spoofing the From: address. It also attempts to propagate via P2P, by copying itself to folders on the local system
that contain "share" or "upload" in the folder name.
McAfee has raised the risk assessment to medium on Zafi.B.
Copies Itself Twice
The worm searches for e-mail addresses on the local hard disk, according to McAfee,
harvesting addresses from files with the following extensions: .htm, .wab, .txt, .dbx, .tbb, .asp, .php, .sht, .adb,
.mbx, .eml and .pmr. Harvested addresses are stored in five files in the system32 folder using random names and the
file extension .dll.
"After being executed,
Zafi.b copies itself twice to the windir system32 folder using a random name and .exe and .dll extension. The worm
copies itself to directories on the C: drive containing one of the following strings: "share" or "upload"; and uses
one of the following file names: Total Commander 7.0 full_install.exe or winamp 7.0 full_install.exe," McAfee said.