Zafi.B worm can terminate antivirus programs
- 15 June, 2004 10:04
<p>As an Australian Distributor for F-Secure for over 8 years, Open Systems Australia would like to provide you with the following news release.</p>
<p>Zafi.B worm can terminate antivirus programs</p>
<p>The new variant spreads fast in several different languages</p>
<p>F-Secure is warning the computer users of a new variant of Zafi email worm -Zafi.B - that was found in the wild on Friday, June 11th. Due to the worm's spreading speed, it was raised to Radar level 2 alert on Sunday, May 13th. The worm spreads by email in variable PIF.-, .EXE-, or COM -attachments. It also sends the messages in several different languages; e.g. in English,
Italian, Spanish, Russian, Swedish, German or Finnish.</p>
<p>Like a typical email worm, Zafi.B also gathers addresses from the users address books and then spreads by sending itself to those addresses. When the worm activates, it copies itself to the Windows System Directory with a random .DLL and random .EXE name. After this the worm scans through all directories in the system and replicates as either 'winamp 7.0 full_install.exe' or 'Total Commander 7.0 full_install.exe' to all folders that contain 'share' or 'upload' in their name. In addition to this, it terminates all applications that have 'firewall' or 'virus' in their filename.</p>
<p>"This worm is tricky, as it has a feature that can close down firewalls and antivirus programs in order to help itself spread further", Mikael Albrecht, the product Manager at F-Secure explains. "But that's not all. Another interesting thing about this worm is that the infected messages come in many different languages. As most of the widely spread worms use only English, this feature may confuse the user to open the message - and the worm spreads on", he continues.</p>
<p>As an example an email message sent by Zafi.B may look like this:</p>
Subject: eYou`ve got 1 VoiceMessage!
You`ve got 1 VoiceMessage from voicemessage.com website!
You can listen your Virtual VoiceMessage at the following link:
or by clicking the attached link.
Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).</p>
<p>Examples of the messages in other languages as well as more detailed technical description of the Zafi.B worm are available in the F-Secure Virus Description Database at
<p>F-Secure Anti-Virus can detect and remove the Zafi.B worm. F-Secure Anti-Virus can be downloaded from http://www.f-secure.com.</p>
<p>F-Secure Corporation protects individuals and businesses against computer
viruses and other threats coming through the Internet or mobile networks. Our
award-winning solutions include antivirus, desktop firewall with intrusion
prevention and network encryption. Our key strength is the speed of response
to new threats and for businesses our solutions feature centralized
management. Founded in 1988, F-Secure has been listed on the Helsinki
Exchanges since 1999. We have our headquarters in Helsinki, Finland, and
offices in USA, France, Germany, Sweden, the United Kingdom and Japan.
F-Secure is supported by a global ecosystem of value added resellers and
distributors in over 50 countries. F-Secure protection is also available
through major Internet Service Providers, such as Deutsche Telekom and
leading mobile equipment manufacturers, such as Nokia.</p>
Open Systems Australia is a Canberra-based organization that was established in 1991 to cater to the computing infrastructure requirements of both Government and Private Enterprise. The company distributes leading information technology products and total systems solutions accompanied with professional and dedicated sales and support services. Open Systems Australia provides products and services to an extensive network of over 1200 value-added Resellers and major System Integration companies Australia wide. For additional information please visit: http://www.opensystems.com.au</p>
<p>For further information please contact:</p>
Open Systems Australia
02 6261 4900
- NIST: 17 reasons we can’t trust or certify IoT devices
- The week in security: Aussie cybersecurity startups getting more mature
- Most European companies failing to meet GDPR obligations
- Gamified training helping Secure Code Warrior build global security brand
- Honeywell’s industrial Android devices open to serious remote attack