Computer Virus Warning released

[belgareth]

Zafi.B: Virus of Babble



Tue Jun 15, 4:31 PM ET







Erika Morphy,

www.enterprise-security-today.com



A new virus sweeping the

Internet has climbed its way to the top of the antivirus watchers' charts within a matter of days. Along with the

usual gambits to get people to open unfamiliar e-mail, the virus, called "Zafi.B," customizes its language to the

recipient's default language setting, Panda Software CTO Patrick Hinojosa told NewsFactor.







"The social-engineering tactics were really thought out

carefully, and that is why it is spreading so quickly," Hinojosa says. The virus attempts to shut down a PC's

antivirus and firewall protections before the recipient can receive an updated signature file. Also, there appears

to be a denial-of-service attack built in the virus to disable a certain Hungarian-based Web site. "This, of course,

leads one to believe the virus writer is either Hungarian or has a grudge against some of these institutions."







The language factor allows the virus to

spread around the world faster. French and German speakers, for example, seem to let their guard down more easily

with e-mail that comes to them in French or German, as opposed to English, Hinojosa says.







Medium Risk







McAfee's AVERT (Anti-virus and Vulnerability Emergency Response Team), the research division

of Network Associates (NYSE: NET - news), reports that the worm constructs messages using its own SMTP engine,

spoofing the From: address. It also attempts to propagate via P2P, by copying itself to folders on the local system

that contain "share" or "upload" in the folder name.







McAfee has raised the risk assessment to medium on Zafi.B.







Copies Itself Twice







The worm searches for e-mail addresses on the local hard disk, according to McAfee,

harvesting addresses from files with the following extensions: .htm, .wab, .txt, .dbx, .tbb, .asp, .php, .sht, .adb,

.mbx, .eml and .pmr. Harvested addresses are stored in five files in the system32 folder using random names and the

file extension .dll.





"After being executed,

Zafi.b copies itself twice to the windir system32 folder using a random name and .exe and .dll extension. The worm

copies itself to directories on the C: drive containing one of the following strings: "share" or "upload"; and uses

one of the following file names: Total Commander 7.0 full_install.exe or winamp 7.0 full_install.exe," McAfee said.

[DrSmellThis]

There's never a shortage of

reasons to be paranoid! Tanks for the hedz up.

[belgareth]

There's

never a shortage of reasons to be paranoid! Tanks for the hedz up.

You're welcome, DST.