--part1_b355ea42.2493cfb5_boundary
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
--part1_b355ea42.2493cfb5_boundary
Content-Type: message/rfc822
Content-Disposition: inline
Return-Path: <Indian-Territory-Roots-L-request(a)rootsweb.com>
Received: from
rly-zd01.mx.aol.com (
rly-zd01.mail.aol.com [172.31.33.225])
by
air-zd03.mail.aol.com (v59.34) with SMTP; Sat, 12 Jun 1999
01:03:32 2000
Received: from
bl-14.rootsweb.com (
bl-14.rootsweb.com [204.212.38.30])
by
rly-zd01.mx.aol.com (8.8.8/8.8.5/AOL-4.0.0)
with ESMTP id BAA19923;
Sat, 12 Jun 1999 01:03:21 -0400 (EDT)
Received: (from slist@localhost)
by
bl-14.rootsweb.com (8.9.3/8.9.3) id WAA15361;
Fri, 11 Jun 1999 22:02:25 -0700 (PDT)
Resent-Date: Fri, 11 Jun 1999 22:02:25 -0700 (PDT)
Message-ID: <3761E8BD.2D60E3A0(a)cherokee.net>
Date: Fri, 11 Jun 1999 23:57:34 -0500
From: "Jerri (Rogers) Chasteen" <jerri(a)cherokee.net>
X-Mailer: Mozilla 4.5 [en] (Win95; I)
X-Accept-Language: en
MIME-Version: 1.0
Old-To: "Indian-Territory-Roots-L(a)rootsweb.com"
<Indian-Territory-Roots-L(a)rootsweb.com>
Subject: "Official Announcement"
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Resent-Message-ID: <XYMYj.A.3vD.hneY3(a)bl-14.rootsweb.com>
To: Indian-Territory-Roots-L(a)rootsweb.com
Resent-From: Indian-Territory-Roots-L(a)rootsweb.com
X-Mailing-List: <Indian-Territory-Roots-L(a)rootsweb.com> archive/latest/3047
X-Loop: Indian-Territory-Roots-L(a)rootsweb.com
Precedence: list
Resent-Sender: Indian-Territory-Roots-L-request(a)rootsweb.com
This is an official announcement from the U.S. Department of Energy
concerning the new virus. It's rather long, but I feel that the
information is critical.
~~~~~~~~~~~~~~~~~~~~~
:
CIAC Mail User ?ciac(a)rumpole.llnl.gov?
8:25 PM
Subject:
CIAC Bulletin J-047: The ExploreZip Worm
To:
ciac-bulletin(a)rumpole.llnl.gov
[ For Public Release ]
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
The ExploreZip Worm
June 11, 1999 23:00 GMT Number
J-047
______________________________________________________________________________
PROBLEM: A new worm program named zipped_files.exe spreads itself
as
an attachment to e-mail messages and destroys document
files.
PLATFORM: Windows 95, Windows 98, and Windows NT. Outlook or
Exchange
are need to spread.
DAMAGE: The worm sends copies of itself to everyone in your
inbox and
destroys files with the extensions: .h, .c, .cpp, .asm,
.doc,
.xls, and .ppt.
SOLUTION: Do not automatically run an attached file named
zipped_files.exe even if it appears to have come from a
friend. Update your antivirus software to detect this
worm.
______________________________________________________________________________
VULNERABILITY Severe Risk: While this worm does not appear to be
spreading
ASSESSMENT: as rapidly as the Melissa virus, the payload can do
severe
damage to an organization by deleting all Microsoft
Office
documents and computer program source files.
______________________________________________________________________________
The ExploreZip Worm
Introduction
============
CIAC has received reports of the spread of a new worm program called
ExploreZip
(alias: W32/ExploreZip.worm, Worm.ExploreZip). The worm spreads in a
manner
similar to the W97M.Melissa virus. The worm arrives as an attachment to
an e-
mail message. When a user double clicks on that attachment, the worm
program
runs and spreads itself by sending replies to all the mail in your inbox
with
the worm program as an attachment. Different from the Melissa macro
virus, this
is a worm program in that it does not infect other programs or
documents. It is
also executable code instead of a macro program so the macro detection
capability in Microsoft Word will not protect you from this worm. The
worm has a
payload that destroys Microsoft Office documents and program source code
files.
As this is object code (binary) it only runs on INTEL platforms running
Windows
95, Windows 98, and Windows NT. It cannot run on Macintosh or other
hardware
types and cannot run on earlier versions of windows or on DOS. In order
to
spread using e-mail, the worm needs Outlook or Microsoft Exchange.
However, the
payload will run and destroy files even if the program cannot spread
itself via
e-mail.
Worm Operation
==============
The worm is an executable program named "Zipped_files.exe" that appears
to be a
self extracting ZIP archive. It arrives as an attachment to an e-mail
message
with the following content:
Hi <recipient>!
I received your email and I shall send you a
reply ASAP.
Til then, take a look at the attached zipped
docs.
bye
The message appears to be a reply to one of your messages. The subject
of the
mail message is variable and appears to be a reply to a message from
you.
When a user double clicks on the attached worm program, it puts up the
following
dialog box that makes the file appear to be a damaged zip archive.
.------------------------------------------------------------------.
| Error X|
|------------------------------------------------------------------|
| |
| X Cannot open file: it does not appear to be a valid archive.|
| If this file is part of a ZIP format backup set, insert |
| the last disk of the backup set and try again. Please |
| press F1 for help. |
| ------------- |
| | OK | |
| ------------- |
- --------------------------------------------------------------------
Pressing F1 does nothing and clicking OK simply closes the dialog box.
If WinZip
is installed on the system, it will open with the empty zip file:
Zipped_files.zip, again making it appear to be a damaged zip archive.
As the worm continues executing, it searches the inbox of your mail
program and
sends a reply to every message it finds there, adding the message listed
above
and attaching the worm program file.
When it has finished sending mail, it stores a copy of itself on your
system and
sets that copy to be executed at system startup time. On Windows 95 and
Windows
98 systems, it stores a copy of itself in:
c:\windows\system\explore.exe
and places the following line in the win.ini file to restart the worm
every time
you run Windows.
run=C:\WINDOWS\System\Explore.exe
If your active windows directory is not C:\WINDOWS, replace C:\WINDOWS
in the
command and file location above with the path to your active Windows
directory.
On Windows NT systems, it stores copies of itself in:
c:\winnt\system32\explore.exe
c:\winnt\_setup.exe
If your active Windows NT directory is not c:\winnt, replace c:\winnt in
the
file locations above with the path to your active Windows NT directory.
The worm then changes the value of the following registry key to
"_setup.exe",
which runs the _setup.exe program at startup.
HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\
CurrentVersion\Windows\run
After installing itself, the worm runs its payload. The payload searches
your
lettered hard disk drives (C: through Z:) for programming source code
files with
the extensions:
.h .c .cpp .asm
(C header files, C programs, C++ programs, and assembly language
programs) and
Microsoft Office documents with the extensions:
.doc .xls .ppt
(Word documents, Excel documents, and PowerPoint documents) and changes
them to
a zero length file, making them nearly impossible to recover. You might
be able
to recover parts of a file using a disk editor but that would be a
difficult and
time consuming process.
Detecting An Infection
======================
Infections with ExploreZip are easy to detect. Press Ctrl-Alt-Del and
open the
Task Manager as shown here. On Windows NT, press Ctrl-Alt-Del, click the
Task
Manager button, and then choose the Processes tab. The dialog box shown
by
Windows NT is slightly different from that shown here but has the same
function.
.-----------------------------------------------------------.
| Close Program ? X|
|-----------------------------------------------------------|
| -----------------------------------------------------| |
| |Exploring-temp | |
| |Explorer | |
| |Zipped_file | |
| |Osa | |
| |Systray | |
| |Navapw32 | |
| |Winzip32 | |
| | | |
| | | |
| -----------------------------------------------------| |
| WARNING: Pressing CTRL-ALT-DEL again will restart your |
| computer. You will lose unsaved information in all |
| programs that are running. |
| |
| -------------- --------------- ------------ |
| | End Task | | Shut Down | | Cancel | |
| -------------- --------------- ------------ |
- -------------------------------------------------------------
Note the task named Zipped_file (Zipped_files.ex on Windows NT). This is
the
running worm program. To stop it, select Zipped_file (or
Zipped_files.ex) and
click End Task. If you have restarted your system since the infection,
you will
see the process Explore (_setup.exe on Windows NT) instead of
Zipped_file.
Again, to stop that process, select it and click End Task. Do not
confuse the
task Explore with the task Explorer as they are different. The Explorer
task is
the Windows explorer program.
Removing An Infection
=====================
The easiest way to eliminate the worm from your system is to use an
updated
antivirus package. However, to do it by hand, perform these steps:
1. Press Ctrl-Alt-Del to open the task manager.
2. Select the Zipped_file or Explore (Zipped_files.ex or _setup.exe for
Windows
NT) process (whichever is running) and click End Task
3. Delete all copies of zipped_file.exe from your system. These will be
in the
download or attachments directory of your mail program.
4. Delete the file c:\windows\system\explore.exe or for Windows NT,
delete
c:\winnt\system32\explore.exe and c:\winnt\_setup.exe.
5. Edit c:\windows\win.ini and remove the line
run=c:\windows\system\explore.exe
Or in Windows NT, run Regedit.exe and delete the value of the key:
HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\
CurrentVersion\Windows\run
Protection
==========
Most antivirus vendors already have detection and removal capabilities
available
for this worm and we expect the others to have them soon. Of the vendors
that
have a solution available, you may need to download it from their web
pages and
not depend on the automatic update features of the product. We expect
the
automatic update features to have this worm definition soon.
The following vendors have solutions now:
Symantec (NAV)
http://www.symantec.com/avcenter/venc/data/worm.explore.zip.html
Network Associates (McAfee)
http://vil.mcafee.com/vil/vpe10183.asp
DataFellows (F-PROT)
http://www.datafellows.com/v-descs/zipped.htm
Trend
http://www.antivirus.com/vinfo/alerts.htm
All users are cautioned to think before double clicking on a file
included as an
attachment to any e-mail message, even if that message appears to come
from a
friend. If that attachment is a Microsoft Office document and you have
macro
detection turned on, then you can double click the attachment and the
macro
detection capability will stop the document from loading if it contains
a macro
program. It will then give you the choice to enable or disable the
macros.
Remember, disable macros unless you are expecting to receive them.
If the attachment is an executable program, scan it with your antivirus
utility
before running it. If it passes the antivirus scan, you might still want
to
reconsider running it if it comes from someone you do not know or is an
unexpected delivery from someone you do know. Call the person up on the
phone
(don't send them e-mail) and ask him if he sent you an executable before
running
the file. If you send him an e-mail and he is infected with this worm,
you will
likely receive a reply (from the worm) saying "take a look at the
attached
zipped docs".
If the file is a self extracting archive, open it with the archive
program (for
example, WinZip) instead of running the archive itself. You can still
get the
files out of the archive but without running the executable part (the
self
extractor) of the archive file.
______________________________________________________________________________
Thanks to Symantec and Network Associates for their early warning and
analysis
of this worm.
______________________________________________________________________________
For additional information or assistance, please contact CIAC:
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the