>Date: Fri, 11 Jun 1999 10:32:05 -0400
>From: Sherry Proffitt <[log in to unmask]>
>Subject: Virus Alert
>X-Sender: [log in to unmask]
>To: Patsy Newton <[log in to unmask]>
>MIME-version: 1.0
>Original-recipient: rfc822;[log in to unmask]
>
>Hi Patsy,
>
>There's a new virus called explore.zip. It only affects Windows machines.
>If anyone needs any extra drivers to detect this virus, they can download
>them from this website:
>http://download.mcafee.com/products/datfiles/avtk/W32Ex794a.zip
>Please let me know if anyone needs any help or an upgrade in their Virus
>package.
>
>Below is the other info.
>
>Also Guy has an Erin bear for you.
>
>Hope to see you later today.
>
>Regards,
>Sherry
>
>
>Date: Fri, 11 Jun 1999 08:47:32 -0400
>From: Steve Moore <[log in to unmask]>
>Subject: Fwd: CERT Advisory CA-99.06 - ExploreZip Trojan Horse Program
>Sender: Miami University Technology Support Representatives
> <[log in to unmask]>
>X-Sender: [log in to unmask]
>To: [log in to unmask]
>Reply-to: Miami University Technology Support Representatives
> <[log in to unmask]>
>MIME-version: 1.0
>Original-recipient: rfc822;[log in to unmask]
>
>>Date: Thu, 10 Jun 1999 23:58:21 -0400
>>From: CERT Advisory <[log in to unmask]>
>>Subject: CERT Advisory CA-99.06 - ExploreZip Trojan Horse Program
>>To: [log in to unmask]
>>Reply-to: [log in to unmask]
>>Organization: CERT(sm) Coordination Center - +1 412-268-7090
>>Original-recipient: rfc822;[log in to unmask]
>>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>
>>CERT Advisory CA-99-06 ExploreZip Trojan Horse Program
>>
>> Original issue date: Thursday June 10, 1999
>> Source: CERT/CC
>>
>>Systems Affected
>>
>> * Machines running Windows 95, Windows 98, or Windows NT.
>> * Any mail handling system could experience performance problems or
>> a denial of service as a result of the propagation of this Trojan
>> horse program.
>>
>>Overview
>>
>> The CERT Coordination Center continues to receive reports and
>> inquiries regarding various forms of malicious executable files that
>> are propagated as file attachments in electronic mail.
>>
>> Most recently, the CERT/CC has received reports of sites affected by
>> ExploreZip, a Windows Trojan horse program.
>>
>>I. Description
>>
>> The CERT/CC has received reports of a Trojan horse program that is
>> propagating in email attachments. This program is called ExploreZip.
>> The number and variety of reports we have received indicate that this
>> has the potential to be a widespread attack affecting a variety of
>> sites.
>>
>> Our analysis indicates that this Trojan horse program requires the
>> victim to run the attached zipped_files.exe program in order install a
>> copy of itself and enable propagation.
>>
>> Based on reports we have received, systems running Windows 95, Windows
>> 98, and Windows NT are the target platforms for this Trojan horse
>> program. It is possible that under some mailer configurations, a user
>> might automatically open a malicious file received in the form of an
>> email attachment. This program is not known to exploit any new
>> vulnerabilities. While the primary transport mechanism of this program
>> is via email, any way of transferring files can also propagate the
>> program.
>>
>> The ExploreZip Trojan horse has been propagated in the form of email
>> messages containing the file zipped_files.exe as an attachment. The
>> body of the email message usually appears to come from a known email
>> correspondent, and may contain the following text:
>>
>> I received your email and I shall send you a reply ASAP.
>> Till then, take a look at the attached zipped docs.
>>
>> The subject line of the message may not be predictable and may appear
>> to be sent in reply to previous email.
>>
>> Opening the zipped_files.exe file causes the program to execute. At
>> this time, there is conflicting information about the exact actions
>> taken by zipped_files.exe when executed. One possible reason for
>> conflicting information may be that there are multiple variations of
>> the program being propagated, although we have not confirmed this one
>> way or the other. Currently, we have the following general information
>> on actions taken by the program.
>>
>> * The program searches local and networked drives (drive letters C
>> through Z) for specific file types and attempts to erase the
>> contents of the files, leaving a zero byte file. The targets may
>> include Microsoft Office files, such as .doc, .xls, and .ppt, and
>> various source code files, such as .c, .cpp, .h, and .asm.
>> * The program propagates by replying to any new email that is
>> received by an infected computer. A copy of zipped_files.exe is
>> attached to the reply message.
>> * The program creates an entry in the Windows 95/98 WIN.INI file:
>> run=C:\WINDOWS\SYSTEM\Explore.exe
>> On Windows NT systems, an entry is made in the system registry:
>> [HKEY_CURRENT_USER\Software\Microsoft\Windows
>> NT\CurrentVersion\Windows]
>> run = "c:\winnt\system32\explore.exe"
>> * The program creates a file called explore.exe in the following
>> locations:
>> Windows 95/98 - c:\windows\system\explore.exe
>> Windows NT - c:\winnt\system32\explore.exe
>> This file is a copy of the zipped_files.exe Trojan horse, and the
>> file size is 210432 bytes.
>> MD5 (Explore.exe) = 0e10993050e5ed199e90f7372259e44b
>>
>> We will update this advisory with more specific information as we are
>> able to confirm details. Please check the CERT/CC web site for the
>> current version containing a complete revision history.
>>
>>II. Impact
>>
>> * Users who execute the zipped_files.exe Trojan horse will infect
>> the host system, potentially causing targeted files to be
>> destroyed.
>> * Indirectly, this Trojan horse could cause a denial of service on
>> mail servers. Several large sites have reported performance
>> problems with their mail servers as a result of the propagation of
>> this Trojan horse.
>>
>>III. Solution
>>
>>Use virus scanners
>>
>> In order to detect and clean current viruses you must keep your
>> scanning tools up to date with the latest definition files.
>>
>> Please see the following anti-virus vendor resources for more
>> information about the characteristics and removal techniques for the
>> malicious file known as ExploreZip.
>>
>> Central Command
>> http://www.avp.com/upgrade/upgrade.html
>>
>> Command Software Systems, Inc
>> http://www.commandcom.com/html/virus/explorezip.html
>>
>> Computer Associates
>> http://support.cai.com/Download/virussig.html
>>
>> Data Fellows
>> http://www.datafellows.com/news/pr/eng/19990610.htm
>>
>> McAfee, Inc. (a Network Associates company)
>> http://www.mcafee.com/viruses/explorezip/protecting_yourself.as
>> p
>>
>> Network Associates Incorporated
>> http://www.avertlabs.com/public/datafiles/valerts/vinfo/va10185
>> .asp
>>
>> Sophos, Incorporated
>> http://www.sophos.com/downloads/ide/index.html#explorez
>>
>> Symantec
>> http://www.sarc.com/avcenter/download.html
>>
>> Trend Micro Incorporated
>> http://www.antivirus.com/download/pattern.htm
>>
>>General protection from email Trojan horses and viruses
>>
>> Some previous examples of malicious files known to have propagated
>> through electronic mail include
>> * False upgrade to Internet Explorer - discussed in CA-99-02
>> http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html
>> * Melissa macro virus - discussed in CA-99-04
>> http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html
>> * Happy99.exe Trojan Horse - discussed in IN-99-02
>> http://www.cert.org/incident_notes/IN-99-02.html
>> * CIH/Chernobyl virus - discussed in IN-99-03
>> http://www.cert.org/incident_notes/IN-99-03.html
>>
>> In each of the above cases, the effects of the malicious file are
>> activated only when the file in question is executed. Social
>> engineering is typically employed to trick a recipient into executing
>> the malicious file. Some of the social engineering techniques we have
>> seen used include
>> * Making false claims that a file attachment contains a software
>> patch or update
>> * Implying or using entertaining content to entice a user into
>> executing a malicious file
>> * Using email delivery techniques which cause the message to appear
>> to have come from a familiar or trusted source
>> * Packaging malicious files in deceptively familiar ways (e.g., use
>> of familiar but deceptive program icons or file names)
>>
>> The best advice with regard to malicious files is to avoid executing
>> them in the first place. CERT advisory CA-99-02 discusses Trojan
>> horses and offers suggestions to avoid them (please see Section V).
>>
>> http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html
>>
>>Additional information
>>
>> Additional sources of virus information are listed at
>>
>> http://www.cert.org/other_sources/viruses.html
>> ______________________________________________________________________
>>
>> This document is available from:
>> http://www.cert.org/advisories/CA-99-06-explorezip.html.
>> ______________________________________________________________________
>>
>>CERT/CC Contact Information
>>
>> Email: [log in to unmask]
>> Phone: +1 412-268-7090 (24-hour hotline)
>> Fax: +1 412-268-6989
>> Postal address:
>> CERT Coordination Center
>> Software Engineering Institute
>> Carnegie Mellon University
>> Pittsburgh PA 15213-3890
>> U.S.A.
>>
>> CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
>> Monday through Friday; they are on call for emergencies during other
>> hours, on U.S. holidays, and on weekends.
>>
>>Using encryption
>>
>> We strongly urge you to encrypt sensitive information sent by email.
>> Our public PGP key is available from http://www.cert.org/CERT_PGP.key.
>> If you prefer to use DES, please call the CERT hotline for more
>> information.
>>
>>Getting security information
>>
>> CERT publications and other security information are available from
>> our web site http://www.cert.org/.
>>
>> To be added to our mailing list for advisories and bulletins, send
>> email to [log in to unmask] and include SUBSCRIBE
>> your-email-address in the subject of your message.
>>
>> Copyright 1999 Carnegie Mellon University.
>> Conditions for use, disclaimers, and sponsorship information can be
>> found in http://www.cert.org/legal_stuff.html.
>>
>> * "CERT" and "CERT Coordination Center" are registered in the U.S.
>> Patent and Trademark Office
>> ______________________________________________________________________
>>
>> NO WARRANTY
>> Any material furnished by Carnegie Mellon University and the Software
>> Engineering Institute is furnished on an "as is" basis. Carnegie
>> Mellon University makes no warranties of any kind, either expressed or
>> implied as to any matter including, but not limited to, warranty of
>> fitness for a particular purpose or merchantability, exclusivity or
>> results obtained from use of the material. Carnegie Mellon University
>> does not make any warranty of any kind with respect to freedom from
>> patent, trademark, or copyright infringement.
>>
>> Revision History
>>
>> June 10, 1999: Initial release
>>
>>-----BEGIN PGP SIGNATURE-----
>>Version: 2.6.2
>>
>>iQCVAwUBN2B33nVP+x0t4w7BAQEsGQQAjO8XmCFoS5bE4l3+fDdrd7vUGHn3l1WZ
>>HyUPO25ddtd50rsyHCTaSuxr9HUuzswm4DI+T80y6nt5i+NTiSIKWjL0Qo8C+9Xn
>>BsHQqjmRdDrWD/r6+ZHnoekrgNWWM+1Uy8XITOyzfntGA2mGz/DGkyHq4afElZw6
>>3SLhZ6GPtjA=
>>=Ja0e
>>-----END PGP SIGNATURE-----
>
>
>Steve Moore
>Software Coordinator
>Miami University
>Oxford, OH
>email:[log in to unmask]
>voice:513-529-1452
>
Patsy Newton
Department of Speech Pathology & Audiology
2 Bachelor Hall
Phone 9-2500, Fax 9-2502
|