New multilingual Hazafi mass-mailer disactivates antiviruses

Festive preparations are in full swing. Everybody is in hurry to send his warmest season greetings to mates and relatives. The email is the best way to do it. The best, of course, but the most dangerous, as with Christmas greetings it may also bring to your computer a malicious program.

And the virus writers have profited of the pre-holiday rush having disclosed a new mass mailing worm nicknamed in Doctor Web’s classification as Win32.HLLM.Hazafi.36864 (it is also named by other antivirus vendors as W32/zafi3@mm or W32.Erkez.D@mm).

The statistics received by the Virus monitoring service of Doctor Web, Ltd. shows that for just several hours of its existence the worm has significantly spread on the Net. Mostly due to users themselves, as the worm need s users’ intervention to get activated. – the viral attachment should be manually opened.

The newly born threat has a multilingual payload. Depending on a user’s domain name a Christmas greeting arriving with the worm may be in English, German, Hungarian, Russian, Polish, Italian, Finnish or French.

And don’t even try to find out where from you received an infected message! As it becomes usual with modern mass mailing worms, the sender’s address is spoofed. Its further traveling across the Globe is limited only by the address books of the infected machines.

If a user tries to open the virus-laden attachment enclosed with a message, (you can look at it here ), the worm displays an error message on the screen and copies itself to the Windows system folder.

To increase the potential of its spreading, the worm also copies itself to folders having «share», «music» or «upload» in their names as winamp 5.7 new!.exe and  ICQ 2005a new!.exe, which allows it to proliferate through file-sharing networks.

In addition, the worm terminates various antivirus programs and firewalls and locks access to the system registry editor and to the task manager making a computer defenseless in front of this threat.

The protection against new mail worm is already added into Dr. Web bases ("hot" add-on is released 16:54, Moscow time, December 14, 2004).

Doctor Web, Ltd. strongly advises never open suspicious messages, or letters received from unknown or hardly known addressees, if such letters arrive equipped with attachments arousing suspicions. If your computer has no antivirus program installed, you can always check a suspicious file enclosed to the message in our on-line virus check through the following web-form.

2008-05-13	April 2008 virus activity review from Doctor Web, Ltd.
2008-05-13	Twenty five thousand subscribers of Eltel get protection by Dr.Web AV-Desk™
2008-05-07	Dr.Web AV-Desk shields four hundred educational institutions of the Russian university network RUNNet
2008-05-06	New version of Dr.Web anti-virus scanner for Windows released
2008-05-06	Win32.Ntldrbot (aka Rustock.C) no longer a myth, no longer a threat. New Dr.Web scanner detects and cures it for real
2008-05-05	Another 17 Russian cities get anti-virus as a service with Dr.Web AV-Desk
2008-05-04	Protection against viruses and spam from Doctor Web, Ltd. and Sun Microsystems thoroughly tested
2008-05-04	Another Russian ISP launches Dr.Web AV-Desk
2008-05-02	Doctor Web – Central Asia Kazakhstan market summary 2007
2008-05-02	Doctor Web came to China at the eve of Olympics
2008-04-08	PC Magazine Russia: Dr.Web AV-Desk – the best product-as-a-service of 2007
2008-04-07	Dr.Web for IBM Lotus Domino – a new product by Doctor Web, Ltd. protecting application servers of enterprises and corporations
2008-04-03	Updated Dr.Web Shell Extension library released
2008-04-03	Dr.Web for Unix Mail servers and Dr.Web Mail Gateway have been updated to version 4.44.1
2008-04-02	March 2008 virus activity review from Doctor Web, Ltd.
2008-04-01	Updated version of Dr.Web Enterprise Suite 4.44.2 released
2008-04-01	Dr.Web scanner vanquishes BackDoor.MaosBoot once again
2008-04-01	Updated modules of Dr.Web anti-virus for Windows workstations released