Christmas card worm rips back door in PCs

Virus writers are sending multilingual Christmas cards with a nasty surprise for the recipent - a worm that opens a back door into the user's machine
Written by Dan Ilett, Contributor on

Antivirus companies warned on Tuesday that a seasonal worm, dubbed Zafi.D, is attacking users in the guise of an e-Christmas card.

The Zafi worm, which has appeared at previous Christmases, travels as an attachment. When opened it displays an error message instead of the card. The worm then uses a Trojan horse program to open a back door that allows hackers to take remote control of infected PCs.

"The timing for this worm is critical," said Mikko Hypponen, director of antivirus research for F-Secure. "This is a time when people send electric Christmas cards. Sending them is not risky, but receiving them is. We advise people to stay away from them."

F-Secure has listed the worm, which sends a copy of itself to every email address in contact folders, at threat level 2 -- the company's second most dangerous rating.

The worm is able to send itself in multiple languages. For example, email addresses ending .es would be sent in Spanish.

By 4 p.m. GMT on Tuesday, reports of the worm had rocketed to 51,000 -- up from 1,300 just three hours before. The worm was reportedly gaining momentum right across the Internet, especially in Hungary.

"The first version of this worm was from Hungary. We don't know if this one is. This is not the first time we've seen this worm. It's come up at other Christmases where virus writers have used Christmas cards [manipulate] readers. Don't trust them, even if they are in your language," Hypponen warned.

The worm is believed to spread in many languages including English, Italian, Russian, Spanish and Swedish. According to F-Secure, the first part of the English the message reads:

"Sender: Pamela M.
 Subject: Merry Christmas!
 Happy HollyDays!
 :) [Recipient]"

Editorial standards