Government finds itself facing

Government finds itself facing

By Christopher J. Dorobek

GCN Staff

After working to protect themselves from a rash of recent Web attacks and the wide-ranging Melissa virus, agencies had to batten down the hatches yet again against the malicious Worm.ExploreZip virus.

On June 10, the General Services Administration's Federal Computer Incident Response Capability team issued an advisory about the Worm.ExploreZip or Troj_Explore.Zip virus.

The Defense Department's Defense Computer Emergency Response Team issued a second advisory the following day.

'It's hard to know how many computers were affected because when people called, they said their whole site was affected,' said Bill Pollak, public relations representative for the Software Engineering Institute in Pittsburgh, which runs FedCIRC.

Much like the Melissa virus that left agencies scrambling earlier this year, the ExploreZip virus is a Trojan horse that propagates through e-mail attachments [GCN, April 5, Page 1].

Although the virus does not spread as quickly as Melissa, it is more destructive. The virus, once on the loose, can erase documents on the hard drive.

'Our analysis indicates that this Trojan horse program requires the victim to run the attached zipped_files.exe program in order to install a copy of itself and enable propagation,' the FedCIRC advisory said.

The virus enters through e-mail messages that apparently come from someone the user knows, and the body of the text may say, 'I received your e-mail and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs,' the FedCIRC advisory warned. The subject line of the message may not be predictable and may appear to be sent in reply to a previous e-mail.

Many-headed worm

There has been conflicting information about how the virus works, the FedCIRC advisory said. That may be because there are multiple variations of the program. A posting by Symantec Corp. of Cupertino, Calif., however, said the virus uses Mail Application Programming Interface commands and Microsoft Outlook on Windows systems to propagate itself.

FedCIRC said the program searches local and networked drives for specific extensions and then eats the corresponding files. The program also propagates by replying to any new e-mail received by the infected computer.

The virus appears to attach to machines running Microsoft Windows 95, Windows 98 and Windows NT, FedCIRC said.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.