ad info
   personal technology

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

CNN Websites
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines

 message boards




New Worm.ExplorerZip virus spreads over Net

June 10, 1999
Web posted at: 4:31 p.m. EDT (2031 GMT)

by Matthew Nelson


   Insurgency on the Internet

   Sign up for the Computer Connection email service

   For more computing stories


(IDG) -- A new virus or worm, with the same modus operandi of the Melissa Virus, is currently spreading across the Internet, deleting large numbers of files and altering the Win.ini file when users reboot.

Tentatively called the Worm.ExplorerZip virus, it is propagating itself using the same API as Melissa, and a message stating:

"Hi [Name] ! I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. bye."

The message comes along with a zip file named Zip_files.exe, which if activated, will show a fake error message to the user.

An executable file will then alter the Win.ini file, instructing the client to run an explorer.exe file which is delivered by the virus in place of the standard operating system when the user reboots. The worm then searches the local file drive for the following file types and deletes them: .c, .cpp, .asm, .doc, .sls, and .ptp, thereby deleting Microsoft Word, Excel, and PowerPoint files.

"What it will do is it will search through the C through Z drives and select randomly a set of files of varying extensions, and then it will zero out or kill the contents of an arbitrary extension of those files," said Carey Nachenberg, chief researcher at SARC, the Symantec Anti-virus Research Center, in Santa Monica, Calif.

The worm does not send itself to users on an address book as Melissa did, but instead will monitor the inbox of an infected system for incoming mail. Once a message is received, Worm.ExplorerZip will then send an auto-reply to the sender of the message with the message above.

  InfoWorld home page
  InfoWorld forums home page
  InfoWorld Internet commerce section
  Get Media Grok and The Industry Standard Intelligencer delivered for free
 Reviews & in-depth info at's personal news page
  Year 2000 World
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletter for IT leaders
  Search in 12 languages
 News Radio
 * Fusion audio primers
 * Computerworld Minute

The Worm does not alter the subject line of the e-mail, as Melissa did, but simply responds with the previous senders subject line, making it difficult to recognize, according to Vincent Gullatto, director of Avert Labs, for Network Associates in Beaverton, Ore.

Worm.ExplorerZip is similar to a virus, but technically a "worm" program, as it delivers a payload and then moves to another machine instead of infecting an entire machine, according to Nachenberg.

"A worm is specifically designed to spread itself from one computer to another," said Nachenberg. "It will infect a computer once, deploy its payload and then try to move on to other computers."

SARC received a copy of the worm Sunday, June 6, from a user in Israel and issued a fix to its special service users the same day. Symantec's SARC made its Norton AntiVirus definitions generally available for download Wednesday night, according to Nachenberg.

Network Associates is also issuing updates to its McAfee Anti-Virus scan as well, according to the company.

Users should always be warned about launching executables, according to Nachenberg.

"If people receive executables in the mail, they should not run them," Nachenberg said. "It's very dangerous to run executables, even if they look cute."

Matthew Nelson is an InfoWorld senior writer.

Melissa mutant threatens networks
May 28, 1999
CIH virus antidote author defends his program
May 20, 1999
E-mail doesn't have to be opened to release virus
May 13, 1999
Chernobyl virus wreaks havoc in parts of Asia
April 27, 1999

Melissa mutant threatens networks
'Melissa' a sign of problems to come, House told
Lessons from the Melissa mess
Why Melissa was good for IT
Stopping the next Melissa
(Network World Fusion)
'CIH' virus dangerous, but easy to avoid
Feds shine during 'Melissa' scare
(FCW)'s Year 2000 World
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

Symantec Anti-Virus Research Center
Network Associates Inc.
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.