For immediate releaseEspoo, Finland - Researchers at the Data Fellows computer virus laboratory have discovered new functionality in the widespread ZippedFiles (also known as ExploreZip) Internet worm. Once the virus infects one machine in a corporate network, the worm will start to look for other Windows workstations in the network.
If another user has shared directories from his machine for others, the virus will try to infect this machine over the network.
This means that your machine can get infected with the ZippedFiles worm even if you're very careful with your e-mail, do not open attachments, or you even stop using e-mail completely. You will not notice the infection, but your machine will start to automatically reply to all e-mails received thereafter. The replies contain an infected attachment and will spread the worm further. In addition, the worm will start to overwrite files on local and network drives.
In order to receive the virus over the company network, your machine must be running Windows 95 or 98 and must have either the system drive or the Windows directory shared for other users with full access rights. The shared drive does not have to be mounted to the infected system in order for the worm to spread, as the worm will browse all available drive shares in the network. By default, Windows does not share drives for use by other users, but many users do this to give fellow workers easy access to their files.
"This seems to be one of the reasons we've seen widespread infections within single
companies", comments Mikko Hypponen, Manager of Anti-Virus Research at Data Fellows.
"We have to remember that this worm does not spread over e-mail nearly as fast as the
Melissa virus did. It only spreads at the rate of normal e-mail traffic - if you receive ten
e-mails a day, you will send the worm out ten times". "However, once ZippedFiles enters
your corporate network, it will travel around fast if you don't have every workstation running
up-to-date protection."
A: This worm is known as either ZippedFiles or ExploreZip
Q: What's the difference between a virus and a worm?
A: Viruses work by infecting the user's own files and they spread when these are exchanged. Worms don't infect your own files, they just use your computer to send themselves further to other machines.
Q: Where was ZippedFiles written?
A: The first infection reports were from Israel, so it might be from that region.
Q: When was ZippedFiles written?
A: We don't know for sure. We received the first sample from the field on June 10th, from the Czech Republic. The virus has been reported to be out there as early as 6th of June. Moreover, the virus contains this internal date: "1999/04/14 12:50". It is possible that the virus has been out there for a longer time, possible even weeks.
Q: Why was this new network-spreading capability not detected until now?
A: The virus is big, over 200kB. It's simple to add detection and removal of a worm like this, but it takes days to fully disassemble and understand a program of this size.
Q: Who wrote it?
A: We do not know.
Q: Will he/she be caught?
A: If he/she was careful when releasing the virus, probably not. It is easy to be completely anonymous in the net.
Q: How widespread is it?
A: Very widespread, although at this time not as widespread as Melissa or CIH were during spring, 1999. It seems to be especially widespread in North America and the UK.
Q: Why North America and UK?
A: The virus replies to every e-mail received by the infected computer. However, the reply is written in English. If a German-speaking user sends an e-mail to another German, he would get suspicious if the reply appears in English.
Q: Does the virus work only with Outlook?
A: The virus tries to work with other e-mail programs as well (those which support MAPI). However, due to some programming error it seems to fail unless the user has Microsoft Outlook, Outlook Express or Exchange e-mail client.
Q: Do other worms spread over a company network like ZippedFiles?
No, this is quite a unique feature.
Q: What damage does ZippedFiles do?
It tries to overwrite several types of files on a local hard drive and on the network drives.
Q: What files does ZippedFiles overwrite?
DOC - Microsoft Word documents
XLS - Microsoft Excel spreadsheets
PPT - Microsoft PowerPoint presentations
ASM - Assembler source files
CPP - C++ source files
C - C source files
H - C header files
Q: Why does the virus overwrite Assembler, C++ and C programming language files?
A: Perhaps the writer of the virus does not like these languages. The virus itself is written in Delphi, a Pascal-like language.
Q: Why does the virus overwrite files instead of deleting them?
A: The virus truncates the files to zero bytes. This makes it difficult to restore the files without backups. If the virus would just delete the files, they would be easy to undelete.
Q: Are the truncated files recoverable if there are no backups?
A: Professional data recovery services will help. There are some freeware tools in the net that
claim to be of some help, but usually the results are not very good - and they might make
professional data recovery impossible.
The Company has received numerous awards and citations each year from leading software
magazines and publications around the world. They include being selected one of the Top 100
Technology companies in the world by Red Herring magazine in its September 1998 issue
and being named Editors Choice by PC Magazine.
For further information, please contact
Hong Kong:
Yui Kee Co. Ltd.
Mr. Allan Dyer, Technical Director
Tel: +852 28708555
Fax: +852 28736164
e-mail: adyer@yuikee.com.hk"
or visit the Yui Kee web site at http://www.yuikee.com.hk
USA:
Data Fellows Corporation
675 N. First Street, 8th Floor
San Jose, CA 95112
tel (408) 938-6700; fax (408) 938-6701
or
Europe:
Data Fellows Corporation
Mikko Hypponen, Manager, Anti-Virus Research.
PL 24
FIN-02231 ESPOO
tel s +358 9 8599 0513
fax +358 9 8599 0599
e-mail: Mikko.Hypponen@F-Secure.com