Explorer worm hits thousands
- 15 June, 1999 12:01
The fast-spreading W32/ExplorerZip.worm, which propagates via e-mail and destroys files on a PC's hard drive, has infected tens of thousands of users of Microsoft Outlook and Exchange software worldwide, causing some to shut down their e-mail systems, security experts said.
The FBI said it is investigating the incident. "As was the case with Melissa, the transmission of the virus can be a criminal matter and the FBI is investigating,'' said Michael Vatis, director of the National Infrastructure Protection Centre, in a statement last week.
Yesterday, the company intercom at AT&T's headquarters in Basking Ridge, alerted employees at lunchtime that the worm was spreading and advised infected users to immediately shut down their PCs.
Of the 3000 workers at the site, about 200 were affected, said spokesman John Heath. Heath said he didn't hear the warning in time and inadvertently opened the attached file that contained the worm. "In most cases, I'm pretty suspicious, but this is tricky because you see a message from someone you know, and I fell for it,"' Heath said.
AT&T's information technology department distributed updated McAfee antivirus software within 90 minutes to block the worm, he said. But Heath said infected workers lost Microsoft Word, Excel and PowerPoint files.
"A word to the wise: No matter who the sender is, take a second to look at the message you get and make sure it's not a threat to your system," Heath advised.
Some companies, such as General Electric, received warnings earlier in the week that helped minimise the damage. GE public relations manager Pam Wickham said e-mail servers at the company's headquarters were shut down for a few hours yesterday. But they were back up by mid afternoon, after the company installed an update of Symantec's antivirus software, she said.
Wickham said the Symantec site had posted a warning on June 6 and that GE IT managers were keeping an eye out for it. She said she was unsure how many GE workers were hit.
"We had a good look at it early, saw what it was able to do and contained the damage," she said. "We did have some minor data loss, but nothing on the scale of what's been going on around the country,'' Wickham said.
Network Associates, said 60 per cent of its enterprise customers in the US, France and Germany have reported infections that deleted large amounts of data. Other users affected have been reported in Hong Kong, Israel, Japan, Taiwan, the UK, Norway, South Africa and parts of Latin America.
"Our researchers have watched numerous attempts by virus writers to combine the rapid spread of viruses like Melissa with bad payloads like the Chernobyl virus, and this is the first example,'' said Wes Wasson, director of security product marketing at Network Associates.
Unlike the Melissa virus, which e-mailed itself to recipients via a user's address book, this worm automatically replies to legitimate inbound e-mail. Users are infected when they open e-mail attachments that appear to be a reply from someone to whom they sent mail. The messages have the same subject line as the original message, making it more likely that the victim will open the attachment.
When a user clicks on the attached file, the worm deposits the file explore.exe and modifies the Windows registry file, WIN.INI. The worm's payload then searches the user's local hard drive for a variety of file types and attempts to erase the contents of the file, leaving a zero-byte file that cannot be undeleted with typical undelete utilities.