Chronology Current Month Current Thread Current Date
[Year List] [Month List (current year)] [Date Index] [Thread Index] [Thread Prev] [Thread Next] [Date Prev] [Date Next]

Another Virus/Worm Warning!

Here is a warning posted to the PhyShare list yesterday by Ian Ellis
(following my sig). I received a similar warning this morning from my
local network administrator.

Pay attention! W32/ExploreZip is potentially a nasty little SOB.

W32/ExploreZip will come to you in the form of an e-mail attachment,
probably named ZIPPED_FILES.EXE, which SHOULD NOT BE OPENED!!!!! It will
be accompanied by a message tempting you to open the attachment. If you
fall for it and open the attachment, it will erase the contents of many of
the files on your hard drive.

Larry

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Larry Cartwright
Physics, Physical Science, Internet Teacher
Charlotte High School, 378 State Street, Charlotte MI 48813
<physics@scnc.cps.k12.mi.us> or <science@scnc.cps.k12.mi.us>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Date: Thu, 10 Jun 1999 18:23:08 -0400
From: Ian Ellis <ian@iglou.com>
To: PHYSHARE@LISTS.PSU.EDU
Subject: Another ugly e-mail worm

Virus alert update just arrived marked urgent. See McAfee site:

<http://www.avertlabs.com/public/datafiles/valerts/vinfo/va10185.asp

W32/ExploreZip.worm

Virus Characteristics:
This is a 32bit Worm that travels by sending email messages to users. It
drops the file explore.exe and modifies either the WIN.INI (Win9x) or modifies
the registry (WinNT).

Virus Information:
This worm attempts to invoke the MAPI aware email applications as in MS
Outlook, MS Outlook Express or MS Exchange. This worm replies to messages
received with an email message with the following body:

"I received your email and I shall send you a reply ASAP.
"Till then, take a look at the attached zipped docs."

The subject line is not constant as the message is a reply. The worm (named <b>"zipped_files.exe"</b>)
is attached, with a file size of 210,432 bytes. The file has a Winzip icon
which is designed to fool unsuspecting users to run it as a self-extracting
file. User who run this attachment will be presented with a fake error
message that says:

"Cannot open file: it does not appear to be a valid archive. If this file
is part of a ZIP format backup set, insert the last disk of the backup set
and try again. Please press F1 for help."

The Worm has a payload; immediately after execution it will search all
mapped drives for the following file types, and when it finds them, it
will erase their contents and the file will be zero bytes:
.c .cpp .h .asm .doc .xls .ppt

Discovery/Added Date: June 9, 1999</font></font>
DAT Included: 4030
Type: Worm
Risk Assessment: High