New ExploreZip version defies antivirus systems

New ExploreZip version defies antivirus systems

ExploreZip, the worm that devastated systems in June, is now back in a compressed version that is slipping through antivirus security systems.

The worm has infected several major companies in the US, with Europe, Asia and Australia also under threat.

Dubbed MiniZip by some security vendors -- a reference to how the worm has been compressed -- the latest outbreak uses exactly the same technology as ExploreZip, the only difference being that it has been compressed in a format that masks it from security systems which scan incoming messages for attacks.

While many antivirus applications now scan compressed files (and all scan for ExploreZip) the creator of MiniZip utilised a lesser-known shareware compression system called Neolite to render it invisible to antivirus security systems.

"[ExploreZip] hasn't been altered at all: all someone did was store it in a very unusual compression format, called Neolite," said Dan Schrader, vice president of new technology at Trend Micro in California. "We already scan for compressed files, but they chose one that we don't [scan for] so far."

Security firms Symantec, Network Associates, Trend Micro, and others received numerous copies of the compressed worm from several infected Fortune 500 companies last week. Symantec received an initial example, but it was not until Tuesday that it became evident how serious the situation was.

Network Associates' AVERT (Anti-Virus Emergency Response Team) unit has already assigned the virus a "high" risk assessment, with outbreaks apparently recorded in Australia, although no further information was available at ARN's deadline.

"We had one submission last week, and at the time it wasn't spreading that much," said Vincent Weafer, director of the Symantec Antivirus Research Center in California. "But based on the latest customer submissions, it's spreading rapidly."

"We've had 10 companies hit in the last four hours," said Sal Viveros, group marketing manager for Total Virus Defense for Network Associates. "We're hearing from other people that some other big companies are being hit. If [MiniZip follows the same pattern as] ExploreZip, we'll see it in Asia fairly soon."

Other than the compressed file format and the slightly different name of ExploreZip.worm.pak, the virus operates in the same way as before, infecting a machine, deleting files, and automatically sending infected responses to other users. It, too, affects systems running Microsoft Outlook, Outlook Express, and Exchange.

Both versions send an automatic message with the text: "I received your email and I will send you a reply ASAP. Till then, take a look at the attached zipped docs." However, the attachment actually contains an executable file that infects the system, rather than documents.

Users need to update their security application DAT files to protect their systems against this MiniZip version of ExploreZip, according to Trend Micro's Schrader, adding that users' recent experience with ExploreZip may actually stem the speed with which MiniZip spreads.

"There is nothing subtle about this virus -- antivirus products can detect this [but] you just have to have the [DAT file] update," said Schrader. "People are far more aggressively updating their pattern files, so that may stem the tide of this."

Nevertheless, with damage from the original version of the worm estimated in the hundreds of millions, and with the ease of the worm's spread, it's not to be taken lightly, Schrader added.

"The first time around this virus caused more damage than all non-virus security attacks combined," Schrader said. "We don't know how much damage it's going to do this time."

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.


Show Comments