Explorer worm hits thousands
- 15 June, 1999 13:05
The fast-spreading W32/ExplorerZip.worm, which propagates via e-mail and destroys files on a PC's hard drive, has infected tens of thousands of users of Microsoft Outlook and Exchange software worldwide, causing some to shut down their e-mail systems, security experts said.
The FBI said it is investigating the incident. "As was the case with Melissa, the transmission of the virus can be a criminal matter and the FBI is investigating,'' Michael Vatis, director of the US National Infrastructure Protection Center, said in a statement last week.
The company intercom at AT&T's US headquarters alerted employees at lunchtime that the worm was spreading and advised infected users to immediately shut down their PCs.
Of the 3,000 workers at the site, approximately 200 were affected, said spokesman John Heath. Heath said he didn't hear the warning in time and inadvertently opened the attached file that contained the worm. "In most cases, I'm pretty suspicious, but this is tricky because you see a message from someone you know, and I fell for it,"' Heath said.
AT&T's information technology department distributed updated McAfee antivirus software within 90 minutes to block the worm, he said. But Heath said infected workers lost Microsoft Word, Excel and PowerPoint files.
"A word to the wise: No matter who the sender is, take a second to look at the message you get and make sure it's not a threat to your system," Heath advised.
Some companies, such as General Electric, received warnings earlier in the week that helped minimise the damage. GE public relations manager Pam Wickham said e-mail servers at the company's headquarters were shut down for a few hours. But they were back up by midafternoon, after the company installed an update of Symantec's antivirus software, she said.
Wickham said the Symantec site had posted a warning on June 6 and that GE information technology managers were keeping an eye out for it. She said she was unsure how many GE workers were hit.
"We had a good look at it early, saw what it was able to do and contained the damage," she said. "We did have some minor data loss, but nothing on the scale of what's been going on around the country,'' Wickham said.
Network Associates said 60 per cent of its enterprise customers in the U.S., France and Germany have reported infections that deleted large amounts of data. Other users affected have been reported in Hong Kong, Israel, Japan, Taiwan, the U.K., Norway, South Africa and parts of Latin America.
"Our researchers have watched numerous attempts by virus writers to combine the rapid spread of viruses like Melissa with bad payloads like the Chernobyl virus, and this is the first example,'' said Wes Wasson, director of security product marketing at Network Associates.
Unlike the Melissa virus, which e-mailed itself to recipients via a user's address book, this worm automatically replies to legitimate inbound e-mail. Users are infected when they open e-mail attachments that appear to be a reply from someone to whom they sent mail. The messages have the same subject line as the original message, making it more likely that the victim will open the attachment.
When a user clicks on the attached file, the worm deposits the file explore.exe and modifies the Windows registry file, WIN.INI. The worm's payload then searches the user's local hard drive for a variety of file types and attempts to erase the contents of the file, leaving a zero-byte file that cannot be undeleted with typical undelete utilities.
Darwin Sanoy, a consultant at the US-based CoreTech Consulting Group, noted that any user who clicks an infected attachment from someone with a Microsoft mail program can still suffer its destructive qualities.
"It looks very legitimate. That's what makes it so scary," Wasson said.
He said one warning sign of infection is an increased volume on Exchange servers. Users can also check their e-mail out-box to see if mail has been sent without their knowledge.
"The W32/ExplorerZip.worm has affected a number of e-mail users, and Microsoft is working to learn everything it can about the virus to help keep customers informed and protected,'' a Microsoft spokesperson said.
According to an advisory from the Computer Emergency Response Team, any mail-handling system could experience performance problems or denial of service as a result of large volumes of reply messages from the in-boxes of infected users.
"If I'm infected, and I have lots of messages sent by a particular company, they will get a message for every message in your in-box,'' explained Darren Kessner, senior virus researcher at the California-based Symantec Antivirus Research Center.
W32/ExplorerZip.worm is categorised as a worm, not a virus, because it copies itself to a computer's hard drive and moves from machine to machine in a network. A virus simply attaches itself to specific files. This worm infects machines running Windows 95, Windows 98 and NT.
Kessner noted that since the worm attacks .h, .cpp, .c and .asm source-code files, companies with many software developers should take special care to shield that data.
David Chess, a researcher at IBM's Thomas J. Watson research center in the US state of New York, which is working on automatic virus immune systems, noted that if the worm's writer releases the source code onto the Web, variants will likely appear.
He believes it will be difficult to catch the worm's creator unless it was launched on a traceable newsgroup as was the Melissa virus.
"I have no idea what these people are thinking, Chess said. "It's the same mind-set that makes people break car windows; it's the same mindless destructiveness.'' Companies that want to guard against the next wave of worms or viruses should consistently apply commercial-grade virus-protection programs on laptops and desktops, as well as on e-mail and Internet gateway servers, said Bruce Murphy, a partner in the security technology risk services division at New York-based PricewaterhouseCoopers. He said companies should have emergency staff on call for rapid response. Finally, Murphy recommended that companies have a process to keep virus software up to date and negotiate service agreements with vendors to get updates rapidly.
When a new virus or worm hits, Murphy said antivirus vendors' servers can be overwhelmed and companies may need to find other ways to update protection.
Rob Enderle, an analyst at Giga Information Group in the US, said the worm erased four hard drives at his company before the updated Symantec antivirus software could be distributed. He said the servers were so saturated that the company's IT department mailed the update directly to users. Still, Enderle said the Symantec system doesn't force users to reboot their machines to receive updates, which discourages users from keeping other anti-virus software updated.
D. J. Forman, an antivirus expert at San Jose-based antivirus software vendor Data Fellows Group, said that while his company's products are updated for the worm, he expects the worm to destroy data even at companies that have antivirus software. If a worm enters a company's internal e-mail system before antivirus software is updated, blocking the worm at the Internet gateway won't lessen the impact, he noted.
While some antivirus products scan internal mail, he said many companies don't implement those solutions because of cost, shoddy network design and additional work for network managers.
Forman said employees must be trained not to open infected attachments. "If you rely 100 per cent on antivirus software," he said, "you are going to be in trouble."