Threat Advisory: McAfee(R) AVERT Raises Risk Assessment to Medium on New W32/Zafi.d@MM Worm

Threat Advisory: McAfee(R) AVERT Raises Risk Assessment to Medium on New W32/Zafi.d@MM Worm

McAfee AVERT Raises W32/Zafi.d@MM to Medium Based on Increased Prevalence

BEAVERTON, Ore., Dec. 14 /PRNewswire-FirstCall/ -- McAfee, Inc. (NYSE:MFE) the leading provider of intrusion prevention solutions, today announced that McAfee(R) AVERT(TM) (Anti-virus and Vulnerability Emergency Response Team), the world-class research division of McAfee, Inc., raised the risk assessment to medium on the recently discovered W32/Zafi.d@MM, also known as Zafi.d. Zafi.d is a mass-mailing worm that constructs messages using its own SMTP engine, spoofing the From: address. It also attempts to propagate via P2P, via copying itself to folders on the local system.

McAfee AVERT researchers, which first saw the worm early today in Europe, have received numerous reports mostly from Germany, Italy and Spain where Zafi.d has been detected or has infected both corporate and home users. The infections are typical mass mailing results from both real customer submissions and virus-generated mail from customers.

Threat Overview

Zafi.d is a mass-mailing worm that when executed, copies itself twice to the %windir%\system32 folder. The worm, which sends itself out in Hungarian and English, creates a registry key, so that infected files are executed every time an infected computer is turned on. Zafi.d also has the ability to search for directories of anti-virus and personal firewall software, and then overwrite the executables with a copy of itself. Users should immediately delete any email containing the following:

From: (The from address is spoofed). The worm searches for email addresses on the local hard disk, harvesting addresses from files with the following extensions:

-- htm
-- wab
-- txt
-- dbx
-- tbb
-- asp
-- php
-- sht
-- adb
-- mbx
-- eml
-- pmr
-- fpt
-- inb


Harvested addresses are stored in five files in the system32 folder using random names and the file extension .DLL.

Subject: Re: (original subject)
The message may be constructed with various subject and message bodies.

Body:


The body of the email sent by the worm is in the form of Christmas greetings. Like previous variants, the worm sends itself out in different languages depending on the Top Level Domain (TLD) of the recipient's address. For example, a user with a .COM mail address will receive the English mail body, while someone with an .DE Mail address will receive the German body.

Threat Pathology

After being executed, Zafi.d copies itself twice to the %windir%\system32 folder using a random name and .DLL extension. The worm copies itself to directories on the C: drive containing one of the following strings: "share", "upload" or "music" and uses one of the following file names:

-- winamp 5.7 new!.exe
-- ICQ 2005a new!.exe


In an attempt to thwart manual identification and cleaning of an infected machine, the worm will also attempt to terminate processes.

Cure

Immediate information and the cure for this virus can be found online at the McAfee, Inc. McAfee AVERT site located at http://vil.mcafeesecurity.com/vil/content/v_130371.htm. McAfee AVERT is advising its customers to update to the 4414 DATs to stay protected. McAfee AVERT Labs is one of the top-ranked anti-virus and vulnerability research organizations in the world, employing researchers in thirteen countries on five continents. McAfee AVERT combines world-class malicious code and anti-virus research with intrusion prevention and vulnerability research expertise from the McAfee(R) IntruShield(R) and McAfee(R) Entercept(R) organizations, two research arms that were acquired through IntruVert Networks and Entercept Security. McAfee AVERT protects customers by providing cures that are developed through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.

About McAfee, Inc.

McAfee, Inc., headquartered in Santa Clara, Calif., creates best-of-breed intrusion prevention and risk management solutions. McAfee's market-leading security products and services help large, medium and small businesses, government agencies, and consumers prevent intrusions on networks and protect computer systems from critical threats. Additionally, through the Foundstone Professional Services division, leading security consultants provide security expertise and best practices for organizations. For more information, McAfee, Inc. can be reached at 972-963-8000 or on the Internet at http://www.mcafee.com/.

NOTE: McAfee, AVERT, Foundstone, IntruShield and Entercept are either registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the United States and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. (C) 2004 McAfee, Inc. All Rights Reserved."

Photo: NewsCom: http://www.newscom.com/cgi-bin/prnh/20040426/MCAFEELOGO
AP Archive: http://photoarchive.ap.org/
PRN Photo Desk, photodesk@prnewswire.com
Source: McAfee, Inc.

CONTACT: Tracy Ross of McAfee, Inc., +1-408-346-5965 or
Tracy_ross@mcafee.com; or Ally Zwahlen of Porter Novelli, +1-408-571-2331 or
ally.zwahlen@porternovelli.com, for McAfee, Inc.

Web site: http://www.mcafee.com/


-------
Profile: intent