ExploreZip version defies antivirus security

ExploreZip version defies antivirus security

ExploreZip, the worm that devas-tated systems in June, is now back in a compressed version that is slipping through antivirus security systems. The worm has infected several major companies in the US, with Europe and Asia also being hit.

The virus has infected several Australian companies. The virus hit Sabela Media and ninemsn mid last week, with both businesses reporting minimal damage. Many other companies, including KPMG, are also believed to have been infected.

Gour Lentell, executive chairman at Sabela, said ExploreZip had corrupted "some files" on the file server. "We're recovering that from the tape backup now."

Lentell said Sabela had received 10 more versions of the transmitting e-mail since the original infection.

Antivirus vendor Network Associates has logged more than 100 calls about the virus in the last 48 hours, according to sales support director Dean Stockwell.

Stockwell called ExploreZip "the next Melissa", because of the rapid way it spreads. "It's a good thing Melissa caught everyone off-guard, because this time the damage has pretty much been minimal," Stockwell said.

Dubbed MiniZip by some security vendors - a reference to how the worm has been compressed - the latest outbreak uses exactly the same technology as ExploreZip, the only difference being that it has been compressed in a format that masks it from security systems which scan incoming messages for attacks. While many antivirus applications now scan compressed files (and all scan for ExploreZip), the creator of MiniZip utilised a lesser-known shareware compression system called Neolite to render it invisible to antivirus security systems.

"[ExploreZip] hasn't been altered at all. All someone did was store it in a very unusual compression format, called Neolite," said Dan Schrader, vice president of new technology at Trend Micro in California. "We already scan for compressed files, but they chose one that we don't [scan for] so far."

Security firms Symantec, Network Associates, Trend Micro and others received numerous copies of the compressed worm from several infected Fortune 500 companies last Tuesday. Symantec received an initial example the week before, but it was not until Tuesday that it became evident how serious the situation was.

Network Associates' AVERT (Anti-Virus Emergency Response Team) unit has already assigned the virus a "high" risk assessment.

"We had one submission last week, and at the time it wasn't spreading that much," said Vincent Weafer, director of the Symantec Antivirus Research Center in California. "Based on customer submissions since then, it's spreading rapidly."

Following the original course of ExploreZip in June, it is expected that Asia will see infections rise this week, and Europe soon after, according to security vendors.

"We've had 10 companies hit in the last four hours," said Sal Viveros, group marketing manager for Total Virus Defense for Network Associates. "We're hearing from other people that some other big companies are being hit. If [MiniZip follows the same pattern as] ExploreZip, we'll see it in Asia fairly soon."

Other than the compressed file format and the slightly different name of ExploreZip.worm.pak, the virus operates in the same way as before, infecting a machine, deleting files, and automatically sending infected responses to other users. It, too, affects systems running Microsoft Outlook, Outlook Express, and Exchange.

Both versions send an automatic message with the text: "I received your e-mail and I will send you a reply ASAP. Till then, take a look at the attached zipped docs."

However, the attachment actually contains an executable file that infects the system, rather than documents.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments