The Zafi-D worm (W32/Zafi-D), discovered earlier this week posing as a Christmas greeting, is spreading rapidly around the world.

IT security experts have reported that the virus is currently accounting for around three-quarters of all virus reports, with some estimates suggesting that the infection is present in as many as one in 10 emails.

Zafi-D, which is believed to originate from Hungary, spreads inside bogus Christmas greeting emails. The emails can use a variety of languages including English, French, Spanish and Hungarian.

Embedded inside the email is a lewd animated GIF graphic of two 'smiley' faces, which may fool some users into believing that the attached virus is a joke.

"More than one in 10 emails travelling across the internet at the moment is infected with Zafi-D," warned Graham Cluley, senior technology consultant for Sophos.

"Although antivirus protection is available, there must be many home users who have been complacent and are allowing their PCs to belch out more and more infected emails.

"Everyone should consider putting in place automatic antivirus updates, and a policy of blocking dangerous attachments at the email gateway."

Zafi-D attempts to disable antivirus and firewall protection software on infected computers. The worm also tries to open a backdoor on affected PCs, and to download further malicious code from the internet.

"The danger is that infected PCs could come under the control of remote hackers [who] could use the infected PCs to do whatever they want: destroy data, steal information or launch spam campaigns and distributed denial-of-service attacks," said Cluley.

"Computer users who are not properly protected would be completely oblivious to what was happening under their noses."

The festive virus attacks are not confined to Zafi-D, according to PandaLabs. The company has detected the appearance of variants H, I and J of the Atak worm, which also spread in messages that pass themselves off as Christmas greetings.

The newly intercepted variants of the Atak worm are very similar to each other, differing only in aspects like the size of the file attached to infected email messages. However, due to a programming error, Atak.J cannot send itself out.

The Atak mutants reach computers in email messages with the subject 'Merry X-Mas!' or 'Happy New Year!'. The message text reads: 'Happy New year and wish you good luck on next year!' or 'Mery Chrismas & Happy New Year! 2005 will be the beginning!'

The attachment is always compressed as a zip file and contains a file that could be called bat, com, pif or scr. If the user runs this file, the worms create copies of themselves in the Windows system directory under the name 'dec25.exe'.

At the same time, they use their own SMTP engine to send themselves to all the addresses they find in files with certain extensions stored on the affected computer.

"We are witnessing an attempt to saturate users' inboxes with a huge number of virus-infected Christmas greetings. We don't know if it is organised or not," said Luis Corrons, head of PandaLabs.

"This is obviously a significant threat to computers that are not properly protected, as the probability of being hit is very high, especially considering that, at this time of the year, it is not unusual to receive a large amount of emails of this kind."

Information on the above viruses, including removal tools, can be downloaded from Panda Software here, and from Sophos here.