Zafi Worm Strikes, Spikes

Zafi.b, which spreads primarily via e-mail but can also infect shared folders created by peer-to-peer file-sharing software, is based on an April worm originally written in Hungarian. This variant, however, can arrive in English, German, Swedish, Italian, Russian, or Spanish, depending on the top-level mail domain targeted. Typically, the payload is packed into a .pif file.

Network Associates, for instance, upgraded its threat level for Zafi.b to "Medium" early Monday as submissions started to spike.

"Fortunately, it doesn't look like a long-term worm," said Vincent Gullotto, vice president of Network Associates' AVERT research team. "Give it a couple of days and it'll disappear."

For the moment, however, Zafi is leading several anti-virus vendors' hit parades.

Sponsored post

"Zafi.b has accounted for over 60 per cent of the reports to Sophos' global network of monitoring stations over the last 24 hours, making it the most widespread e-mail worm at the moment," said Graham Cluley, senior technology consultant for Sophos, in a statement.

Rival anti-virus company F-Secure, meanwhile, said Zafi.b topped its current virus list by accounting for 43.2 percent of all malicious code detected in the last 24 hours.

"Zafi.b's able to spread, I think, because of its multi-language format," said Gullotto, "and because it uses a .pif file as an attachment. There are still a lot of people out there who don't understand [the danger of] opening .pif files.

But while Gullotto added that Zafi.b should be taken seriously -- in part because it sniffs out firewall and anti-virus program executables and overwrites them with a copy of itself, disabling defenses -- it's not the biggest worm threat on the Net at the moment. That "honor" still belongs to Netsky, which has put more than a score of variants in the wild since it first appeared in February.

"We're still seeing a ton of Netsky.d and Netsky.p," said Gullotto.

Netsky variants held seven of the top ten spots in F-Secure's up-to-the-minute virus list, and accounted for 41.6 percent of all malicious code spotted during the past 24 hours.