Zafi.B worm can terminate antivirus programs

Helsinki, Finland - June 14, 2004

F-Secure is warning the computer users of a new variant of Zafi email worm – Zafi.B – that was found in the wild on Friday, June 11th. Due to the worm’s spreading speed, it was raised to Radar level 2 alert on Sunday, June 13th. The worm spreads by email in variable PIF.-, .EXE-, or COM –attachments. It also sends the messages in several different languages; e.g. in English, Italian, Spanish, Russian, Swedish, German or Finnish.

Like a typical email worm, Zafi.B also gathers addresses from the users address books and then spreads by sending itself to those addresses. When the worm activates, it copies itself to the Windows System Directory with a random .DLL and random .EXE name. After this the worm scans through all directories in the system and replicates as either 'winamp 7.0 full_install.exe' or 'Total Commander 7.0 full_install.exe' to all folders that contain 'share' or 'upload' in their name. In addition to this, it terminates all applications that have ‘firewall’ or ‘virus’ in their filename.

“This worm is tricky, as it has a feature that can close down firewalls and antivirus programs in order to help itself spread further”, Mikael Albrecht, the product Manager at F-Secure explains. “But that’s not all. Another interesting thing about this worm is that the infected messages come in many different languages. As most of the widely spread worms use only English, this feature may confuse the user to open the message – and the worm spreads on”, he continues.

As an example an email message sent by Zafi.B may look like this:

Sender: Jennifer
Subject: eYou`ve got 1 VoiceMessage!
Attachment:
"link.voicemessage.com.listen.index.php1Ab2c.pif"

Message body:

Dear Customer!
You`ve got 1 VoiceMessage from voicemessage.com website!
You can listen your Virtual VoiceMessage at the following link:
http://virt.voicemessage.com/index.listen.php2=35affv or by clicking the attached link.
Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).

Examples of the messages in other languages as well as more detailed technical description of the Zafi.B worm are available in the F-Secure Virus Description Database at http://www.f-secure.com/v-descs/zafi_b.shtml

F-Secure Anti-Virus can detect and remove the Zafi.B worm. F-Secure Anti-Virus can be downloaded from http://www.f-secure.com .

About F-Secure

F-Secure Corporation protects individuals and businesses against computer viruses and other threats coming through the Internet or mobile networks. Our award-winning solutions include antivirus, desktop firewall with intrusion prevention and network encryption. Our key strength is the speed of response to new threats. For businesses our solutions feature centralized management. Founded in 1988, F-Secure has been listed on the Helsinki Exchanges since 1999. We have our headquarters in Helsinki, Finland, and offices in USA, France, Germany, Sweden, the United Kingdom and Japan. F-Secure is supported by a global ecosystem of value added resellers and distributors in over 50 countries. F-Secure protection is also available through major Internet Service Providers, such as Deutsche Telekom and France Telecom.

For more information, please contact:

F-Secure Corporation
Mikael Albrecht, Product Manager
Tel. +358 40 550 9349
Fax. +358 9 2520 5001
Email: mikael.Albrecht@f-secure.com