Zafi worm dominates email systems

Antivirus firms say Zafi, the worm travelling as an e-Christmas card, is devouring bandwidth and dominating the virus report stats
Written by Dan Ilett, Contributor

The mass-mailing Christmas e-card virus Zafi.d is clogging huge amounts of bandwidth and now accounts for one in 15 of all emails, antivirus companies said on Thursday.

According to Sophos, the worm is responsible for 72 percent of all the company's virus reports in the last 24 hours.

"It's generating a lot of email," said Graham Cluley, senior technology consultant for Sophos. "It's a bit quieter today than yesterday when it was one in 10 emails. This is curious because it's sending a lot of email, but not necessarily everyone is receiving it."

Cluley said that once the worm has penetrated a contacts book to send itself to email addresses stored there, it creates a large number of made-up email addresses using existing domain names -- for example, madeupaddress@zdnet.co.uk. Many of these email addresses are reaching gateway servers, Cluley said, but not going any further.

"Email gateways will receive the message but may not be able to send on that email traffic. That means it doesn't get to everyone, but we still think it's a very aggressive virus. I think it will begin to disappear, but saying that, past Zafis have continued to lurk around for a while," said Cluley.

Antivirus companies warned on Tuesday that the seasonal worm, which travels as an attachment, opens a back door that allows hackers to take remote control of infected PCs.

According to Russian antivirus company Kaspersky Labs, most of Zafi's activity has been detected in Hungary. It said that the word Zafi comes from Hungarian word "hazafi", which means "patriot".

The worm, which was discovered on Tuesday, uses a variety of languages to spread, including English, French, Spanish and Hungarian.

Editorial standards