[Previous Months][Date Index][Thread Index][Join - Register][Login]
[Message Prev][Message Next][Thread Prev][Thread Next]


Sent: Friday, June 11, 1999 2:54 PM
Subject: Excite Computers & Internet Tech News ZDNet Tech News.htm

Malicious worm spreading through e-mail systems
            By Jim Kerstetter
            06/11/99 12:31:00 AM
                    ZDNet Related Stories k.. Thank you, Melissa, for the 
wake-up call

                        l.. Another Day, Another Virus

                        m.. Viruses: What punishment fits crime?

                        n.. PrettyPark virus slowly gathering steam

            Virus writers have managed to combine the reproductive 
capabilities of the Melissa worm with the destructive force of the Chernobyl 

            In the process, they've created malicious code that proliferates 
over MAPI (Messaging Application Programming Interface) based e-mail such as 
Microsoft Corp.'s Exchange and wipes out hard drives. 

            Once opened, the virus, called Worm.ExploreZip, deletes files off 
hard drives. Not limited to Exchange, it will piggyback on top of any 
MAPI-compliant e-mail system. 

            Worm.ExploreZip is believed to be the first successful attempt to 
combine capabilities of both Chernobyl and Melissa, said officials with 
security specialist Network Associates Inc. in Santa Clara, Calif. It is 
being described as an Internet worm because, unlike a virus, it relies on 
other mechanisms to spread through the Internet. 

            Several thousand desktops hit 

            So far, the worm does not appear to be terribly widespread. 
Several thousand desktops have been hit in the United States, Germany and 
France, according to Network Associates officials. It is believed to have 
started in Israel. 

            In the U.S., several high-tech companies, including Microsoft, 
are believed to have been hit so far. System administrators at General 
Electric reportedly shut down the company's e-mail system in an attempt to 
isolate the worm. 

            It has not spread as quickly as Melissa because it does not 
search through a user's entire e-mail directory. 

            One user at a Seattle-based company, who asked not to be 
identified, received the worm from a correspondent at Microsoft, and it wiped 
out most of the files on his hard drive. 

            "It picks real messages to respond to, so it is more subtle than 
the Melissa virus," the user said. 

            According to officials at Symantec Corp.'s AntiVirus Research 
Center, which first received reports of the virus Sunday, the worm e-mails 
itself out as an attachment with the file name "zipped_files.exe." The body 
of the e-mail message hides within an e-mail correspondence. 

            How it works 

            When a user sends an e-mail to an infected desktop, he or she 
will receive a response that contains the virus payload. The message header 
will appear the same but the text inside will be changed. It will say: 

            "Hi (Recipient Name)!

            I received your email and I shall send you a reply ASAP.

            Till then, take a look at the attached zipped docs.


            Once the attachment is executed, a computer will likely display a 
fake error message. The worm then copies itself to the C:\WINDOWS\SYSTEM 
directory with the file-name "Explore.exe" and then modifies the WIN.INI file 
so the program is executed each time Windows is started. 

            When it is executed, the worm searches drives C: through Z: of a 
computer and selects a series of files to destroy based on file extensions 
(including .h, .c, .cpp, .asm, .doc, .xls, .ppt) by making them zero bytes 
long -- wiping out data. 

            To get rid of the worm, Symantec advises users to remove the line 
run=C:\WINDOWS\SYSTEM\Explore.exe from the WIN.INI file and delete the file 
"C:\WINDOWS\SYSTEM\EXPLORE.EXE." If the file is in use, users may need to 
reboot first. 

            Both Symantec (at www.symantec.com/avcenter/download.html) and 
Network Associates (at 
www.avertlabs.com/public/datafiles/valerts/vinfo/va10185.asp) have posted 
antivirus updates on their home pages to deal with the new worm.
Insulin Pumpers website http://www.insulin-pumpers.org/
for mail subscription assistance, contact: HELP@insulin-pumpers.org