- 15 June 2004 09:31
Threat Advisory: McAfee AVERT Raises Risk Assessment to Medium on New W32/Zafi.b@MM Worm
McAfee AVERT Raises W32/Zafi.b@MM to Medium Based on Increased Prevalence
SYDNEY, June 15, 2004 –Network Associates, the leading provider of intrusion prevention solutions, today announced that McAfee AVERT(Anti-virus and Vulnerability Emergency Response Team), the world-class research division of Network Associates, raised the risk assessment to medium on the recently discovered W32/Zafi.b@MM, also known as Zafi.b. Zafi.b is a mass-mailing worm that constructs messages using its own SMTP engine, spoofing the From: address. It also attempts to propagate via P2P, via copying itself to folders on the local system (containing 'share' or 'upload' in the folder name). McAfee AVERT researchers, which first saw the worm on Friday, June 11, have received over 150 reports worldwide of the Zafi.b worm from both real customer submissions and virus-generated mail from customers around the world.
Zafi.b is a mass-mailing worm that when executed, copies itself twice to the %windir%\system32 folder using a random name and .EXE and .DLL extension. The worm, which sends itself out in different languages, creates a registry key, so that infected files are executed every time an infected computer is turned on. Zafi.b also has the ability to search for directories of anti-virus and personal firewall software, and then overwrite the executables with a copy of itself. Users should immediately delete any email containing the following:
From: (The from address is spoofed). The worm searches for email addresses on the local hard disk, harvesting addresses from files with the following extensions:
Harvested addresses are stored in five files in the system32 folder using random names and the file extension .DLL.
Subject: Re: (original subject)
The message may be constructed with various subject and message bodies.
After being executed, Zafi.b copies itself twice to the %windir%\system32 folder using a random name and .EXE and .DLL extension. The worm copies itself to directories on the C: drive containing one of the following strings: "share" or "upload" and uses one of the following file names:
-- Total Commander 7.0 full_install.exe
-- winamp 7.0 full_install.exe
In an attempt to thwart manual identification and cleaning of an infected machine, the worm will also attempt to terminate processes.
Immediate information and the cure for this virus can be found online at the Network Associates McAfee AVERT site located at http://vil.nai.com/vil/content/v_125301.htm. Users of McAfee Security products should update their systems from that page.
Network Associates McAfee Protection-in-Depth Strategy delivers the industry's only complete set of system and network protection solutions differentiated by intrusion prevention technology that can detect and block these types of attacks. This allows customers to protect themselves while they plan their patch deployment strategy.
McAfee AVERT Labs is one of the top-ranked anti-virus and vulnerability research organisations in the world, employing researchers in offices on five continents. McAfee AVERT protects customers by developing and providing solutions that are created through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection and ActiveDAT technology to generate cures for previously undiscovered viruses.
About Network Associates
With headquarters in Santa Clara, California, Network Associates, Inc.
(NYSE: NET) creates best-of-breed computer security solutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks and threats. Offering two families of products, McAfee System Protection Solutions, securing desktops and servers, and McAfee Network Protection Solutions, ensuring the protection and performance of the corporate network, Network Associates offers computer security to large enterprises, governments, small and medium sized businesses, and consumers. For more information, Network Associates can be reached on the Internet at http://www.networkassociates.com/.
# # #
NOTE: Network Associates, McAfee and AVERT are either registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the United States and/or other countries. Red in connection with security is distinctive of McAfee(R). All other registered and unregistered trademarks herein are the sole property of their respective owners.
For further information please contact:
Tel: +61 (0)2 9956 5733
Mobile: +61 (0)417 259 054