|
EXPLOREZIP
VIRUS CLONED (MINIZIP) Symantec Corp. and Trend Micro Inc. warned that a new version of the ExploreZip virus, which wipes out information on a hard drive, has hit at least 12 US companies so far, six of them high-tech manufacturers. Several thousand PCs are believed to have been hit. The ExploreZip variant, also called ExploreZip.worm.pak, is 120KB, about half the size of its predecessor. But other than its diminutive size, MiniZip acts exactly like ExploreZip, which both wipes out files on hard drives and can spread via e-mail. MiniZip is so small because the virus' author compressed the original ExploreZip code. Compressing it changes the bits, meaning that anti-virus software has trouble identifying the new virus. MiniZip first appeared last week, so most anti-virus makers have updated their software to detect its code. While anti-virus makers issued notice of the new updates, it appears that many companies have not updated their anti-virus software, allowing Tuesday's outbreak. ExploreZip, the "father" of MiniZip, was first reported on June 11. The worm uses MAPI-capable e-mail programs to propagate, such as Microsoft Corp.'s Outlook, Outlook Express and Exchange. It e-mails itself out as an attachment with the filename "zipped_files.exe." The body of the e-mail message looks like it came from a regular e-mail correspondent and says: "I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs." Once it is launched, MiniZip launches the original Worm.ExploreZip routine. It looks for any drives mapped to the infected computer and spreads to them. It also looks for unread e-mail and automatically replies to them, in search of new victims. "That's why it has spread so rapidly now but didn't at first," said Vincent Weafer, director of the Symantec Antivirus Research Center. "This is exactly how ExploreZip spread." MiniZip may display an error message informing the user that the file is not a valid archive, according to the anti-virus companies. The worm copies itself to the C:\windows\system directory with the file name "Explore.exe" and then modifies the WIN.INI file so that the virus launches each time Windows is started
|
