- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Wed, Dec 1, 1999
NEW EXPLOREZIP Virus
  This issue of W2Knews™ contains:
Hi All,

-------------------------------------------------------------
There is a new malicious strain out of the Explore.zip virus
-------------------------------------------------------------

Immediately WARN your troops NOT to open up any email that 
starts with:

Hi !
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
Bye (This salutation messages changes and may be "Bye",
Sincerely" and "All")

Do this first. Then read more below, and check with your
vendor of virus software if they can protect you. I got
the following this morning from Trend Micro. (extract
follows)
--------------------------------------------------------

TROJ_EXPLOREZIP Is Back with a Twist

A variant of the autospam TROJ_EXPLOREZIP worm, 
TROJ_EXPZIPWMPAK, is spreading quickly and damaging files

There is a newly discovered variant of the Trojan ExploreZip 
worm that was originally discovered in June, 1999. This
variant, TROJ_EXPZIPWMPAK, is identical to the original 
ExploreZip worm in that it is auto-spamming malicious code 
that destroys data on the infected system. The only 
significant difference between this variant of the worm
and the original is that TROJ_EXPZIPWMPAK is compressed 
with a different type of compression format, thereby evading 
protection for the previous worm. TROJ_EXPZIPWMPAK attacks 
Windows 95, 98, and NT systems and has been detected at 
several Fortune 500 customer sites in the United States.

TROJ_EXPZIPWMPAK emails itself out as an attachment under 
the filename "zipped_files.exe". The subject line of the 
email varies. The body of the email message may also contain 
the following text:

Hi !
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
Bye (This salutation messages changes and may be "Bye",
Sincerely" and "All")

After a user clicks on the attachment, this destructive trojan 
searches hard drives C: through Z:, selecting the Microsoft Word, 
Excel and PowerPoint files as well as source code files used by
programmers including C++, C, and Assembler source files and 
reduces their file size to zero, making the data unrecoverable. 
When executed, TROJ_EXPZIPWMPAK utilizes MAPI enabled email 
systems, to automatically reply to any subsequently received 
email messages. The email reply will include the infected 
attachment with the message shown above. It will use the 
subject line of the received email when it replies.

"TROJ_EXPLOREZIP caused millions of dollars of damage worldwide 
the first time since it overwrites files, instead of just deleting
them, it's particularly damaging.

That's all for now.

Take quick action!

Warm regards,

Stu Sjouwerman

(email me with feedback: [email protected])