New Christmas Card Email Worm Spreading

F-Secure is warning computer users around the world about a new email worm that passes itself on as a fake Christmas Card. Virus writers are honouring this Christmas with a new virus known as Zafi.D. This email worm spreads in emails that are written in several different languages based on the recipient. The Christmas greeting could be written in English, Italian, Spanish, Russian, Swedish and several other languages.

The message is a simple Christmas wish. Following text is an example of English message:
Sender: Pamela M.
Subject: Merry Christmas!

Happy Hollydays!

The infected attachment has an extension of .pif, .cmd, .bat, or .com file. When run, the virus displays a decoy error message saying “Error in packed file!”. After this the virus spreads further and installs a backdoor that will allow the virus writer to take over the infected computer. The worms sends messages in the respective languages to the following country codes:
.hu .sp .ru .dk .ro .se .no .fi .lt .pl .pt .de .nl .cz .fr .it .mx .at ..es

“We have seen viruses that send fake Christmas cards almost every Christmas, says Mikko Hypp?¶nen, Director, Anti-Virus Research at F-Secure Corporation and continues “we recommend people to send traditional pen and paper Christmas cards instead”.

F-Secure Anti-Virus can detect and remove the Zafi.D variant. F-Secure Anti-Virus can be downloaded from Based on independent research by AV.Test.org and Messagelabs F-Secure detects new threats faster compared to other major antivirus vendors. F-Secure also updates customers more regularily than other major antivirus vendors. Between January and August 2004, F-Secure sent out an average of 48 updates per month, which is 50% more than Symantec, almost three times as many as Trend and almost five times as many as McAfee. For the 45 major malware epidemics during 2004, F-Secure customers received their updates on average six hours after the first sample was detected, while, on average, Trend customers were updated ten hours, McAfee customers 14 hours and Symantec customers 16 hours after the first sample. (Source AV-Test.org)

To communicate breaking news fast F-Secure initiated a weblog to provide customers and the media with the latest factual information about viruses, worms, security hacks, and the people behind them. Comments and analyses are updated continually by Mikko Hypponen and the rest of F-Secure’s security research team, and postings often include screen shots and images of actual viruses and malware code.

F-Secure has issued its traditional year-end wrap-up release, which can be read at: http://www.f-secure.com/2004/