ad info
   personal technology

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

CNN Websites
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines

 message boards




Data-eating 'worm' virus invades corporate networks

June 11, 1999
Web posted at: 3:48 p.m. EDT (1948 GMT)

by Matthew Nelson


(IDG) -- A new virus or worm, titled Worm.ExplorerZip, blazed across the Internet this week, altering the Win.ini file when users reboot and deleting large numbers of files, requiring IT managers to clean their networks of infection yet again. It even caused several large corporations, including Microsoft, to shut down their mail servers.

Many system administrators had to scramble to halt the spread of the worm Thursday.

"'Forewarned is forearmed' is probably the most effective virus combat technique, and in this case the lead time was so short that many, many companies have been caught unarmed," said Alan Davis, platform manager for Unix systems at TESSCO Technologies, in Hunt Valley, Md., a provider of products and value-added services to the wireless communications industry.

  InfoWorld home page
  InfoWorld forums home page
  InfoWorld Internet commerce section
  Get Media Grok and The Industry Standard Intelligencer delivered for free
 Reviews & in-depth info at's personal news page
  Year 2000 World
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletter for IT leaders
  Search in 12 languages
 News Radio
 * Fusion audio primers
 * Computerworld Minute

Davis said that TESSCO informed all of its employees about the worm, but stopped short of shutting down e-mail. He said that identifying and eradicating the files on affected systems took the efforts of six to 10 staffers for most of the business day.

Worm.ExplorerZip propagates itself when an individual sends an infected user an e-mail message. The worm will then send an auto-reply message, stating: "Hi [Name]! I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. bye." The message contains a zip file named zipped_files.exe, which, if activated, will show a fake error message to the user.

An executable file will then alter the Win.ini file, instructing the client to run an Explore.exe file that is delivered by the virus; it then deletes Microsoft Word, Excel, PowerPoint, and other files.

"What it will do is search through the C: through Z: drives and select randomly a set of files of varying extensions, and then it will zero out or kill the contents of an arbitrary extension of those files," said Carey Nachenberg, chief researcher at the Symantec Anti-virus Research Center (SARC), in Santa Monica, Calif.

Because the virus scans and deletes files from all drives, C: through Z:, it is also capable of affecting shared drives on a network, such as the G: drive. Therefore, if a single networked user enables the worm, an entire network may lose its shared files, according to one company that was infected but didn't wish to be named.

The worm infected Compaq, which has sent a warning message to its employees, and Microsoft, which has turned off its mail server to halt the spread, as well as others.

A Lotus spokesman said that the Cambridge, Mass., maker of market-leading Lotus Notes messaging systems had no knowledge of any of their customers being affected.

"Our technical people are seeing if we are indeed immune," said Paul Labelle at Lotus. "So far, no Notes shops seem to be impacted at all," he said.

The worm, however, can make for embarrassing situations. For example, a Microsoft consultant working at a large client site in Minneapolis on Friday was hit and disabled by the worm, losing files and disrupting her work at Residential Funding, a financial service arm of General Motors' GMAC.

"The person sitting next to me, a Microsoft consultant, got hit and lost files. She was hit but not us," said Craig Andera, a systems architect at Residential Funding.

The worm does not send itself to users on an address book as the Melissa virus did, but instead will monitor the inbox of an infected system for incoming e-mail. It also does not alter the subject line of the e-mail, making it difficult to recognize, according to Vincent Gullatto, director of Avert Labs, for Network Associates in Beaverton, Ore.

Worm.ExplorerZip is similar to a virus but technically a "worm" program, as it delivers a payload and then moves to another machine instead of infecting an entire machine, according to Nachenberg.

"A worm is specifically designed to spread itself from one computer to another," Nachenberg said. "It will infect a computer once, deploy its payload, and then try to move on to other computers."

SARC received a copy of the worm Sunday, June 6, from a user in Israel, and issued a fix to its special service users the same day. SARC made its Norton AntiVirus definitions generally available for download Wednesday night, according to Nachenberg.

Network Associates is also issuing updates to its McAfee Anti-Virus scan as well, according to the company.

Users should always be warned about launching executables, according to Nachenberg.

"If people receive executables in the mail, they should not run them," he said. "It's very dangerous to run executables, even if they look cute."

Matthew Nelson is an InfoWorld senior writer. InfoWorld Editor at Large Dana Gardner contributed to this article.

Feds batten down the online hatches
June 9, 1999
Hacked hackers vow vengeance on federal Web sites
June 5, 1999
Hackers train sights on all federal Web sites
June 2, 1999
Hackers retaliate by invading FBI, Senate Web sites
May 28, 1999

New worm disables Microsoft mail systems
(Network World Fusion)
Be ready for virus season
(PC World Online)
Destructive "Worm" virus spreads
(PC World Online)
Hunters contain Office macro virus
(PC World Online)
Virus infects Corel scripts
(PC World Online)
Spread the word on CIH
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

Network Associates
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.