Helping to Improve the Quality of Information in Northwest Florida
"Improving the Quality of Information in Northwest Florida..."



Be one of the thousands that have helped BeachBrowser keep on delivering the news.
!!DONATE HERE!!
 

Malicious worm spreading through e-mail

By Jim Kerstetter, PC Week Online June 10, 1999 5:03 PM ET

Virus writers have managed to combine the reproductive capabilities of the Melissa worm with the destructive force of the Chernobyl virus.

In the process, they've created malicious code that proliferates over MAPI (Messaging Application Programming Interface) based e-mail such as Microsoft Corp.'s Exchange and wipes out hard drives.

Once opened, the virus, called Worm.ExploreZip, deletes files off hard drives. Not limited to Exchange, it will piggyback on top of any MAPI-compliant e-mail system.

Worm.ExploreZip is believed to be the first successful attempt to combine capabilities of both Chernobyl and Melissa, said officials with security specialist Network Associates Inc. in Santa Clara, Calif. It is being described as an Internet worm because, unlike a virus, it relies on other mechanisms to spread through the Internet.

Spreading quickly

The worm has been reportedly spreading its destructive force quickly, experts said. Computers in the U.S., Germany, France, Norway, Israel and the Czech Republic were invaded, said Finnish computer security firm Data Fellows Corp.

Network Associates gave Worm.ExploreZip a "high risk" classification because the number of incidents doubled overnight and it has already shown up on thousands of computers. The company said it believes the worm originated in Israel.

In the U.S., several high-tech companies, including Microsoft, are believed to have been hit so far. System administrators at General Electric reportedly shut down the company's e-mail system in an attempt to isolate the worm. Other companies reported to have been hit big include Boeing, Intel Corp. and Compaq Computer Corp.

It has not spread as quickly as Melissa because it does not search through a user's entire e-mail directory.

One user at a Seattle-based company, who asked not to be identified, received the worm from a correspondent at Microsoft, and it wiped out most of the files on his hard drive.

"It picks real messages to respond to, so it is more subtle than the Melissa virus," the user said.

According to officials at Symantec Corp.'s AntiVirus Research Center, which first received reports of the virus Sunday, the worm e-mails itself out as an attachment with the file name "zipped_files.exe." The body of the e-mail message hides within an e-mail correspondence.

How it works

When a user sends an e-mail to an infected desktop, he or she will receive a response that contains the virus payload. The message header will appear the same but the text inside will be changed. It will say:

"Hi (Recipient Name)!

I received your email and I shall send you a reply ASAP.

Till then, take a look at the attached zipped docs.

Bye"

Once the attachment is executed, a computer will likely display a fake error message. The worm then copies itself to the C:\WINDOWS\SYSTEM directory with the file-name "Explore.exe" and then modifies the WIN.INI file so the program is executed each time Windows is started.

When it is executed, the worm searches drives C: through Z: of a computer and selects a series of files to destroy based on file extensions (including .h, .c, .cpp, .asm, .doc, .xls, .ppt) by making them zero bytes long -- wiping out data.

To get rid of the worm, Symantec advises users to remove the line run=C:\WINDOWS\SYSTEM\Explore.exe from the WIN.INI file and delete the file "C:\WINDOWS\SYSTEM\EXPLORE.EXE." If the file is in use, users may need to reboot first.

Both Symantec (at www.symantec.com/avcenter/download.html) and Network Associates (at www.avertlabs.com/public/datafiles/valerts/vinfo/va10185.asp) have posted antivirus updates on their home pages to deal with the new worm.

One firm forced to change policy

A small consulting firm in Canada was hit Thursday when one of its employees sent an e-mail to a member of a PeopleSoft user group list. The employee received the automatic response with the virus in it; thinking this was information related to the list from a trusted source, he opened it.

The commpany's systems administrator said the individual realized he'd been hit when Word crashed and kept trying to convert his document to other formats. The employee's system sent out two infected e-mails before he realized he was propagating the worm.

The administrator said it was a particulary nasty virus because it affected any drives the user had read/write access too, including a shared directory on the network that other employees also used to back up their files. The company backs this system up and clears it out once a week, so the administrator is able to recover data, but he plans to spend all day Friday doing so. He said the extent of the damage wasn't too bad because only one person was hit.

"If it had reached all of our users, we would have been down for at least a month," he said.

Moving forward, the administrator said the company plans to change its e-mail attachment policy to accepting only .zip files. No one will be allowed to accept any other attached files from any source, he said.

The view from a protection service

Allegro Inc., which offers an outsourced e-mail protection service called MailZone, stopped the virus from reaching 11 different companies in one hour Thursday afternoon after it was alerted to the virus by its antivirus engine provider, Sophos of the UK.

MailZone works in part by using the MIMESweeper product from Content Technologies to filter e-mails based on the subject line, attachment names and attachment content.

MailZone can be configured to stop all e-mails that contain any attachments, prohibited material like pornography or known viruses. Part of the service includes an automatic response to senders of e-mails with viruses or worms, alerting domain adminstrators that mail sent from their site was infected.

"It's kind of like a public service message," said Allegro spokesman Richard Bliss in Dayton, Ohio.

"The same companies that were hit by Melissa are getting infected. They didn't take any steps to stop this kind of attachment-based virus from getting through," said Bliss. "Here it is months later and they still are vulnerable."

Additional reporting by Christa Degnan

Top of Page