Destructive "worm" virus spreads
- — 11 June, 1999 21:49
If you thought Melissa was nasty, hang on to your hard drive because there's a bigger, badder virus in town.
Worm.ExploreZip, a Trojan horse virus discovered in Israel and reported to Symantec's AntiVirus Research Centre (SARC) on June 6, dupes Microsoft Outlook and Exchange users by automatically answering incoming e-mail. It sends a response with your name and the same subject header.
Unlike Melissa, however, Worm.ExploreZip attaches destructive files.
"From the day Melissa hit, we've seen a tremendous up-tick in the virus-writing underground and hacker community of people trying to take the effectiveness of Melissa and attach a destructive payload to it. This virus appears to have succeeded," says Wes Wasson, director of product marketing for Network Associates. The company's McAfee division updated its detection software to recognise the virus earlier this week, but raised the risk-assessment profile to high yesterday.
An e-mail message infected by Worm.ExploreZip contains an attachment called zipped_files.exe. The body of the message reads: "Hi [recipient's name]! I received your e-mail and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. Bye."
If the recipient opens the attached file, the virus replicates itself, takes control of the recipient's mail client, scans the address book to propagate itself, and responds to every e-mail message the PC receives.
Furthermore, the Worm.ExploreZip virus can destroy any file with a .h, .c, .cpp, .asm, .doc, .ppt, or .xls extension on your hard drive or mapped drives, according to a virus alert posted on Symantec's Web site. It destroys files on the C through Z drives by truncating them to 0 bytes.
Defend yourself
Windows 95 and 98 users take note: you can eradicate the Worm.ExploreZip virus by deleting the line run=C:\WINDOWS\SYSTEM\Explore.exe from the WIN.INI file. Then remove the file C:\WINDOWS\SYSTEM\EXPLORE.EXE and restart Windows.
The best defense, however, is to avoid infection. If you receive an innocuous e-mail from a friend or colleague with the zipped_files.exe attachment, just delete the message and then empty your Deleted Items file.
Norton AntiVirus customers can download Symantec's latest set of virus definitions, which includes a vaccination for the Worm.ExploreZip virus.
Network Associates' McAfee division has updated its online VirusScan data files for the new Trojan Horse. "Consumers at large can go to McAfee Clinic, plug in, and we will scan their system over the Internet," Wasson says.
Also developing a fix are Panda Software, developer of Panda Antivirus Platinum, and Trend Micro, which markets the InterScan VirusWall. Both companies have posted detection information on their Web sites and are developing disinfection routines.
