[Previous Months][Date Index][Thread Index][Join - Register][Login]
[Message Prev][Message Next][Thread Prev][Thread Next]
[IP] VIRUS WARNING
Sent: Friday, June 11, 1999 2:54 PM
Subject: Excite Computers & Internet Tech News ZDNet Tech News.htm
Malicious worm spreading through e-mail systems
By Jim Kerstetter
06/11/99 12:31:00 AM
ZDNet Related Stories k.. Thank you, Melissa, for the
l.. Another Day, Another Virus
m.. Viruses: What punishment fits crime?
n.. PrettyPark virus slowly gathering steam
Virus writers have managed to combine the reproductive
capabilities of the Melissa worm with the destructive force of the Chernobyl
In the process, they've created malicious code that proliferates
over MAPI (Messaging Application Programming Interface) based e-mail such as
Microsoft Corp.'s Exchange and wipes out hard drives.
Once opened, the virus, called Worm.ExploreZip, deletes files off
hard drives. Not limited to Exchange, it will piggyback on top of any
MAPI-compliant e-mail system.
Worm.ExploreZip is believed to be the first successful attempt to
combine capabilities of both Chernobyl and Melissa, said officials with
security specialist Network Associates Inc. in Santa Clara, Calif. It is
being described as an Internet worm because, unlike a virus, it relies on
other mechanisms to spread through the Internet.
Several thousand desktops hit
So far, the worm does not appear to be terribly widespread.
Several thousand desktops have been hit in the United States, Germany and
France, according to Network Associates officials. It is believed to have
started in Israel.
In the U.S., several high-tech companies, including Microsoft,
are believed to have been hit so far. System administrators at General
Electric reportedly shut down the company's e-mail system in an attempt to
isolate the worm.
It has not spread as quickly as Melissa because it does not
search through a user's entire e-mail directory.
One user at a Seattle-based company, who asked not to be
identified, received the worm from a correspondent at Microsoft, and it wiped
out most of the files on his hard drive.
"It picks real messages to respond to, so it is more subtle than
the Melissa virus," the user said.
According to officials at Symantec Corp.'s AntiVirus Research
Center, which first received reports of the virus Sunday, the worm e-mails
itself out as an attachment with the file name "zipped_files.exe." The body
of the e-mail message hides within an e-mail correspondence.
How it works
When a user sends an e-mail to an infected desktop, he or she
will receive a response that contains the virus payload. The message header
will appear the same but the text inside will be changed. It will say:
"Hi (Recipient Name)!
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
Once the attachment is executed, a computer will likely display a
fake error message. The worm then copies itself to the C:\WINDOWS\SYSTEM
directory with the file-name "Explore.exe" and then modifies the WIN.INI file
so the program is executed each time Windows is started.
When it is executed, the worm searches drives C: through Z: of a
computer and selects a series of files to destroy based on file extensions
(including .h, .c, .cpp, .asm, .doc, .xls, .ppt) by making them zero bytes
long -- wiping out data.
To get rid of the worm, Symantec advises users to remove the line
run=C:\WINDOWS\SYSTEM\Explore.exe from the WIN.INI file and delete the file
"C:\WINDOWS\SYSTEM\EXPLORE.EXE." If the file is in use, users may need to
Both Symantec (at www.symantec.com/avcenter/download.html) and
Network Associates (at
www.avertlabs.com/public/datafiles/valerts/vinfo/va10185.asp) have posted
antivirus updates on their home pages to deal with the new worm.
Insulin Pumpers website http://www.insulin-pumpers.org/
for mail subscription assistance, contact: HELP@insulin-pumpers.org