The Web    Google
Author of Zafi-B Worm Trailed to Hungary

Author of Zafi-B Worm Trailed to Hungary
December 13, 2004

The author of the fourth most wide-spread bug on the Internet has been trailed to Hungary, but no arrests have been made at this point.

Steve Sundermeier, a vice president at Central Command, Inc., an anti-virus and anti-spam company based in Medina, Ohio, says the search for the author has led authorities to Hungary. It would seem to be a clear trail since Zafi-B now launches denial-of-service attacks on several Hungarian Web sites, including the Hungarian Parliament and the Web site of a governmental minister.

The worm also is known for its politically-based social engineering trick. Zafi-B entices people to open it up by making a call for the death penalty.

The Zafi-B worm, which was released into the wild on June 11, has moved into Central Command's fourth-place spot on its list of Most Dangerous Threats. It spreads itself by peer-to-peer filesharing systems and email using a wide variety of different languages.

The Zafi-B worm can send itself via email using a variety of languages. Its predecessor, W32/Zafi-A, displayed a message calling for Hungarian patriotism, according to analysts at Sophos, Inc., an anti-virus company based in Lynnfield, Mass. This variant focuses on the death penalty.

The Zafi-B worm displays a message box containing the following message in Hungarian: We demand that the government accommodates the homeless, tightens up the penal code and VOTES FOR THE DEATH PENALTY to cut down the increasing crime.

''What's interesting is that this year we've had several different viruses that have had very good success spreading in Eastern Europe,'' says Ken Dunham, director of malicious code at iDefense, Inc., a security and anti-virus company. ''It's like a country-specific outbreak.''

Central Command, reports that Zafi-B accounts for 5.78 percent of all viruses in the wild.

  • 2/21: Derdero-B Worm Uses File Sharing
  • 3/24: Rbot-DP an IRC Backdoor Trojan
  • 5/17: Flush-D Trojan Modifies DNS Server
  • 10/11: Noomy-A Worm Exploits Email, IRC
  • Asita, RapidStream offer up high-capacity VPN wares
  • Vericept Adds Fraud, Identity Theft Protection
  • 4/4: Mytob-C Worm Looks For Flaw
  • 10/29: Beagle@mm!CPL Detects Worms
  • VeriSign Intros WS-Security Implementation, Toolkit
  • MS Patches 'Moderate' DirectX Flaw
  • WIDCOMM Bluetooth a Virus Risk
  • Compare Security Camera Products