Worm hits corporate networks hard
"Judging from the number of reports we have had, this looks a little less prevalent than Melissa," said David Chess, an anti-virus researcher at IBM Corp.'s Watson Research Laboratory in Hawthorne, N.Y. Melissa spread through Internet e-mail at the end of March, reportedly infecting nearly 100,000 computers.
While first noticed in Israel on Sunday, the worm -- also known as TROJ_EXPLORE.ZIP and I-Worm.ZippedFiles -- struck hardest in the United States on Thursday, shutting down several major companies for hours and deleting critical files. Researchers also warned that once a single corporate user's PC was infected with ExploreZip, the worm can quickly spread to other users by a secondary mode of infection.
"The worm not only spams itself out," said Eric Chien, senior researcher at the Symantec AntiVirus Reseach Center, "but when it searches through the network drives (looking to delete files), if it finds another Windows installation out there, it will infect it as well."
In other words, users sharing their hard drives with each other -- a practice common in some workgroups -- will automatically be infected if one of the group gets the virus. The lesson: It may take a village to teach a child, but it only takes one gullible user to infect an entire company.
On Thursday, major companies were shutting down their servers and disconnecting from the Internet in order to put protections in place. Microsoft Corp., Intel Corp., Boeing Co., SBC Communications Inc., and AT&T were among the companies hit. By Friday, most companies had gotten the hint. "As of today, people are getting a handle on it," said Chien, who added that, of Symantec's customers, almost 20 major U.S. companies had been hit.
On Friday, reports from employees at the San Francisco-based Jamba Juice and the game publishing giant Electronics Arts reported both companies had been infected. Neither company responded to calls by press time.
While the worm hit the U.S. fairly hard, ExploreZip seems to have done little damage abroad, reported anti-virus firm Trend Micro Inc. "I think the rest of the world benefited by the U.S. getting it first," said Susan Orbuch, spokeswoman for the Cupertino, California, company.
The worm combines the reproductive capabilities of the Melissa virus and the destructive force of the CIH virus. Those two pieces of malicious code struck the Internet in March and April, respectively. ExploreZip proliferates over e-mail based on the messaging application programming interface, or MAPI, such as Microsoft's Exchange, Outlook and Outlook Express. When a user sends an e-mail to an infected computer, he or she will receive a response that contains the virus payload in an attached file called ZippedFiles.exe. The message header will appear the same with "RE:" but the text inside will be changed. It will say:
"Hi (Recipient Name)! "I received your email and I shall send you a reply ASAP. "Till then, take a look at the attached zipped docs. "Bye"
Once opened, the worm, called Worm.ExploreZip, deletes Microsoft Word, Excel, and PowerPoint files off hard drives. In addition, it targets development files created by C, C++ and assembly language editors, deleting those as well.
Computers in the U.S., Germany, France, Norway, Israel, Japan, Taiwan and the Czech Republic were infected by the worm, said Finnish computer security firm Data Fellows Corp.
Take me to the Melissa Virus special.