June 10, 1999 Web posted at: 4:31 p.m. EDT (2031 GMT) by Matthew Nelson

From...

ALSO    Insurgency on the Internet    Sign up for the Computer Connection email service    For more computing stories

(IDG) -- A new virus or worm, with the same modus operandi of the Melissa Virus, is currently spreading across the Internet, deleting large numbers of files and altering the Win.ini file when users reboot.

Tentatively called the Worm.ExplorerZip virus, it is propagating itself using the same API as Melissa, and a message stating:

"Hi [Name] ! I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. bye."

The message comes along with a zip file named Zip_files.exe, which if activated, will show a fake error message to the user.

An executable file will then alter the Win.ini file, instructing the client to run an explorer.exe file which is delivered by the virus in place of the standard operating system when the user reboots. The worm then searches the local file drive for the following file types and deletes them: .c, .cpp, .asm, .doc, .sls, and .ptp, thereby deleting Microsoft Word, Excel, and PowerPoint files.

"What it will do is it will search through the C through Z drives and select randomly a set of files of varying extensions, and then it will zero out or kill the contents of an arbitrary extension of those files," said Carey Nachenberg, chief researcher at SARC, the Symantec Anti-virus Research Center, in Santa Monica, Calif.

The worm does not send itself to users on an address book as Melissa did, but instead will monitor the inbox of an infected system for incoming mail. Once a message is received, Worm.ExplorerZip will then send an auto-reply to the sender of the message with the message above.

MORE COMPUTING INTELLIGENCE
	IDG.net home page
InfoWorld home page
InfoWorld forums home page
InfoWorld Internet commerce section
Get Media Grok and The Industry Standard Intelligencer delivered for free
Reviews & in-depth info at IDG.net
IDG.net's personal news page
Year 2000 World
Questions about computers? Let IDG.net's editors help you
Subscribe to IDG.net's free daily newsletter for IT leaders
Search IDG.net in 12 languages
News Radio
	Fusion audio primers
	Computerworld Minute

The Worm does not alter the subject line of the e-mail, as Melissa did, but simply responds with the previous senders subject line, making it difficult to recognize, according to Vincent Gullatto, director of Avert Labs, for Network Associates in Beaverton, Ore.

Worm.ExplorerZip is similar to a virus, but technically a "worm" program, as it delivers a payload and then moves to another machine instead of infecting an entire machine, according to Nachenberg.

"A worm is specifically designed to spread itself from one computer to another," said Nachenberg. "It will infect a computer once, deploy its payload and then try to move on to other computers."

SARC received a copy of the worm Sunday, June 6, from a user in Israel and issued a fix to its special service users the same day. Symantec's SARC made its Norton AntiVirus definitions generally available for download Wednesday night, according to Nachenberg.

Network Associates is also issuing updates to its McAfee Anti-Virus scan as well, according to the company.

Users should always be warned about launching executables, according to Nachenberg.

"If people receive executables in the mail, they should not run them," Nachenberg said. "It's very dangerous to run executables, even if they look cute."

Matthew Nelson is an InfoWorld senior writer.