Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Preemptive Protection against a New Variant of the Zafi Worm

Attack ID: CPAI-2004-65
Publish Date:
Category: Worms and Viruses
Vulnerable Systems: Microsoft Windows 98
Microsoft Windows ME
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows XP
Source:

Secunia ID 13871
Description: Win32.Zafi.D is a worm that spreads via e-mail and peer-to-peer file sharing. The worm has a spoofed From address and a message body in the form of a Christmas greeting attached as .pif, .cmd. .bat, .com, or .zip file. The worm can also display a decoy message in message box saying 'Error in packed file!'.
Severity:
Details: While the original Zafi.A uses only Hungarian, the new Zafi.D spreads in email in English, Italian, Spanish, Russian, Swedish and several other languages. Similarly to previous variants, the worm sends itself out in different languages depending on the Top Level Domain (TLD) of the recipient's address. For example, a user with a .COM mail address, will receive the English mail body, while someone with an .DE mail address will receive the German body.
Attack Detection:

After applying the solution outlined below, use SmartView Tracker to identify attempts to receive SMTP and HTTP traffic that contain attachments with the worm's unsafe file name extensions.

Users of VPN-1 Ng FP3 and later versions:

An example for an HTTP log entry:
reason: Content Security - access denied

An example for an SMTP log entry:
reason: Forbidden MIME attachment stripped

Users of InterSpect 2.0:

Attack Name: Mail
Attack Information: A connection attempt to an external mail server.
Solution:

Users of VPN-1 NG FP-3 and above who have applied the solution outlined in CPSA-2004-05 are already protected against the propagation of this worm. For detailed configuration instructions, refer to CPSA-2004-05.

InterSpect 2.0 blocks the propagation of this worm by blocking direct access of hosts to mail servers that do not belong to the organization and as such, may potentially be considered a security hazard. Users of InterSpect 2 who have applied the solution outlined in CPAI-2004-50 are already protected against the propagation of this worm.

Industry Reference:
Additional Information: F-Secure