Zafi.D Virus

Virus:   Zafi.D

Status:   Real.

Example:   [Collected on the Internet, 2004]

Origins:   Christmas is the season for many things, but holiday greeting messages that trick users into executing malevolent computer programs shouldn't be one of them. Unfortunately, that was the case with the Zafi.D mass mailing worm,

launched in mid-December 2004.

The Zafi.D worm arrived as an attachment to e-mails that bore a subject line of "Merry Christmas"

and a message body consisting of the words "Happy Hollydays" printed in green text and separated by a yellow emoticon. (The message was signed with any one of a number of names, including "Jaime" and "Anne McGee.") The attachment (with a .ZIP file extension), when executed, delivered worm code that infected Microsoft Windows systems and replicated by sending itself to e-mail addresses harvested from the infected computer's address book.

Even worse, Zafi.D presented a more appealing lure by determining the locations of targeted recipients through their domain-name extensions and altered its text to reflect the native languages of those areas. (For example, users whose e-mail addresses end with .fr received messages titled "Joyeux Noel!," while users whose e-mail addresses end with .it received messages titled "Buon Natale!")

The Zafi.D worm now poses little or no threat, as it is easily caught and eliminated by most virus protection software products. The Zafi.D "Merry Christmas" warnings, which date from 2004, should not be confused with the 2007 "Merry Christmas" variant of the Invitation (or Olympic Torch) hoax.

Additional information:

	W32/Zafi.d@MM   (McAfee)
	W32/Zafi-D   (Sophos)

Last updated:   6 December 2007

  Sources:

    Naraine, Ryan.   "E-Card Holiday Virus Packs Ugly Punch."

    eWeek.com.   15 December 2004.

    Roberts, Paul.   "Zafi Worm Hides Behind Christmas Cheer."

    PCWorld.com.   14 December 2004.