A new version of the Zafi e-mail worm is spreading Christmas wishes along with its malicious code.
Zafi.D is a mass-mailing worm that arrives in a zip file attached to e-mails with the subject "Merry Christmas." Instead of a gift, however, the e-mail package delivers worm code that infects Windows systems. Leading anti-virus companies, including McAfee, Sophos and Computer Associates have issued warnings and updated anti-virus signatures.
In addition to the Christmas well wishes in the subject line, Zafi-generated e-mails contain the message "Happy Hollydays" and are signed "Jaime" - clearly the virus writer has GCSE French.
Both CA and McAfee rate Zafi.D a "medium" threat, indicating that a number of samples have been spotted and that the worm has a destructive payload.
Like most other mass-mailing e-mail worms, Zafi.D modifies the configuration of Windows machines, shutting down other security software and harvesting e-mail addresses from files on the infected computer. After it harvests e-mail addresses, Zafi uses a built-in SMTP engine to send e-mail to those addresses with copies of the worm code.
The worm has had more luck spreading than earlier Zafi variants, possibly because of its well-timed and appealing subject line and message.
However, the increase in reports could be due to an initial spam distribution of the worm. The similarity of Zafi.D to its predecessors - and to other mass mailing worms - means that it's likely that few examples of the new worm are actually getting through to e-mail inboxes.