Worm cuts off antivirus programs

A new worm variant that can terminate antivirus applications was discovered last Friday, prompting Internet security vendor F-Secure to issue a level two warning.

The variant, called Zafi.B, is spread through email attachments in PIF., EXE. or Com attachments, and according to F-Secure, the worm "terminates all applications that have 'firewall' or 'virus' in their file-name".

The worm is capable of transmitting in several languages, including English, Italian, Spanish, Russian, Swedish, German or Finnish, said F-Secure, and spreads itself by collecting email addresses from the recipient's address book.

Zafi.B copies itself to the Windows System Directory when activated, and replicates itself as either "winamp 7.0 full_install.exe" or "Total Commander 7.0 full_install.exe" files in folders that contain "share" or "upload" in their names, according to F-Secure.

Manager for F-Secure, Mikael Albrecht, says the worm is particularly complicated as it has the capacity to penetrate firewalls and antivirus applications in order to "help itself spread further".

"Another interesting thing about this worm is that the infected messages come in many different languages. As most of the widely spread worms use only English, this feature may confuse the user to open the message - and the worm spreads on", he said.

However, Internet security firm Symantec has listed the virus as having an "easy" threat-containment rating and a "low" geographical distribution area.

A Symantec spokesman maintained that the worm is still "nothing significant".

"The worm tries to disable the security processes on the machine to make it more vulnerable to other attacks," said the spokesman.

He said that users who notice unusual messages regarding system vulnerability may be infected and should scan their computers to guard against further infection.

For more coverage on ZDNet Australia, click here.