IE 11 is not supported. For an optimal experience visit our site on another browser.

Worm disguises itself as holiday greeting

A new computer worm that poses as an electronic holiday greeting card is causing some headaches for Internet users.

A new computer worm that poses as an electronic holiday greeting card is causing some headaches for Internet users.

The Zafi.D worm is "still spreading around the globe," software security company Panda Software said. 

Other antivirus firms said the worm posed a moderate risk. Symantec rated it a 3 on a scale of 1 to 5. McAfee describes the risk as "medium."

"We've received just under 300 submissions from our clients," said Brian Dunphy, director of global delivery with Symantec's security response team.  "We have seen some sustained activity, but not on the scale of Netski or other big viruses earlier this year."

The worm was originally released in April, and at the time, appeared only in the Hungarian language. This new variant, which appeared for the first time on Tuesday, has been tuned up for the holiday season. It spreads itself in an e-mail attachment that says "Happy holidays!"  And now it comes in English, Italian, Spanish, Russian, Swedish and several other languages, according to antivirus firm F-Secure.

Zafi spreads in the usual way, by scanning the infected system for e-mail addresses, and sending copies of itself to every address it finds.

The worm is most commonly found in South America, Italy, Spain, Bulgaria and Hungary, according to Panda.

European customers were hit harder -- and U.S. customers saw little impact -- because of the timing of the release, said Panda's Alan Wallace. By the time most U.S. employees arrived at work Wednesday, antivirus firms had a chance to add protection to their software packages. "It certainly affected Europe more because of the time difference," he said

Glendale, California-based Panda also said the virus has the ability to adapt to the language of the user, matching the message's language to the domain of a user's e-mail address. E-mail users with addresses that end in .es, for example, receive Spanish-language versions of the virus.

A typical message reads:
Sender: Pamela M.
Subject: Merry Christmas!
Happy HollyDays!
:) [Sender]

The worm enables attackers to gain remote control of an affected computer, but has other tricks, too. It turns off firewalls and antivirus software. In fact, it deletes such applications from the system it's attacking.

Only users duped into double-clicking on an attachment can become infected. Infected e-mails can include a variety of messages and attachment names, but some variation of the word postcard appears in the file name.

Reuters contributed to this story.