Don’t be fooled by this email that bears the message “Happy Holidays” and
the subject line “Merry Christmas”, even when it appears to be from someone
Most likely, it is a worm, attached in a file that pretends to be a holiday
postcard greeting and usually arrives via email and through peer-to-peer
networks. The message may appear in different languages based on your
This worm, called Zafi.d, is a variant of the Zafi worm. Zafi.d is a
mass-mailing worm that when executed, copies itself twice to the
%windir%system32 folder using a random name and .DLL extension. The worm
copies itself to directories on the C: drive containing one of the following
strings: "share", "upload" or "music".
According to TechTree, this worm sends itself out in Hungarian and English,
creates a registry key, so that infected files are executed every time an
infected computer is turned on. Zafi.d also has the ability to search for
directories of anti-virus and personal firewall software, and then overwrite
the executables with a copy of itself.
In an attempt to thwart manual identification and cleaning of an infected
machine, the worm will also attempt to terminate processes.
According to reports, the virus poses a greater threat to home users as it
is most frequently attached to email as a .php file. Home-based Web users
may be less diligent in updating their anti-virus software.
Attachments appear at 12 KB in size. Once inside the infected system, the
worm drops a copy of itself under a legitimate-sounding file name.