WORM2
re...@ecn.ab.ca
update Corporations are scrambling to cope with a new data-destroying
virus that is forcing the shutdown of email systems nationwide.
The virus, first reported to the Symantec Antivirus Research Center on
Sunday by five companies in Israel, is called Worm.ExploreZip or
Troj_Explore.Zip. The worm uses Mail Application Programming Interface
(MAPI) commands and Microsoft Outlook on Windows
systems to propagate itself, Symantec said.
In some ways, the virus is the sequel to the Melissa virus, which spread
with unprecedented speed in March. Worm.ExploreZip spreads from computer
to computer by taking advantage of automation features available to people
using Microsoft email software on Windows machines.
Although the new virus doesn't spread as fast as Melissa, it causes more
damage, according to antivirus experts, deleting Microsoft Word, Excel,
and Powerpoint document files, among others.
Several firms have shut down their email systems entirely while IS staff
root out the virus, according to Symantec.
Boeing was hit particularly hard. The Seattle-based aerospace giant shut
down its email system, which is used by at least 150,000 employees, at
2:30 p.m. today, a company spokesman said. The company was still assessing
the damage caused by the virus, but the spokesman, who asked not to be
named, said he knew of at least one employee whose entire hard drive was
wiped out.
"As soon as we became aware of it, we told everyone, and we put a message
up on our internal Web site," he said. Late in the day the email still had
not been restored. The company hopes to have it back up by tomorrow.
PricewaterhouseCoopers took down its entire email system, used by 45,000
U.S. employees, also at 2:30 p.m. in response to the virus. The company
was just bringing up parts of the system at 7 p.m., a company spokesman
said, but he didn't know how much dama ge had been done or how many
workers had been affected.
Some companies said they disarmed the virus--actually a software
"worm"--before it could cause many problems. Microsoft, for example,
disconnected its email servers from the Internet at about 9 a.m. so that
programmers could work on an antidote, company s pokesman Dan Leach said.
The servers were up and running two hours later, he added.
Employees of antivirus software maker Symantec report that they have
received email that includes the worm, which arrives as an attachment to
the missives. Companies such as General Electric and Southern Company have
had files deleted by the virus, accord ing to Bloomberg.
Virus protection firm Trend Micro spokeswoman Susan Orbuch said earlier
today that the company had received 107 calls from customers concerning
the virus. Thirteen of those calls came from those already infected, she
said.
Orbuch said that Trend Micro knew of five large companies that had been
infected, as well as several public relations firms and a magazine. She
declined to name the companies.
Nate Meyer, spokesman for Credit Suisse First Boston, said the virus had
struck the company's offices in New York, San Francisco, and Palo Alto,
California, and that other offices worldwide may have been affected. He
said he did not know how many of the c ompany's computers were infected.
Meyer said the Credit Suisse's technology department had been working on
the problem for much of the day and had sent out a warning about it this
morning. But he said the virus did not seem to have slowed the company's
operations, adding that it had not d isrupted the investment company's
stock trading. Meyer noted that his own email had been working throughout
the day.
Quick repairs Representatives at AT&T and Intel reported that they were
able to quickly repair their systems after being hit by the virus.
"These are things that we have to do because of the communications reality
that we live in today," an AT&T spokeswoman said.
The virus disrupted work at Cambridge, Massachusetts-based industry
analyst firm Forrester Research, where Internet access, including email,
was cut off. Another analyst firm, Current Analysis, sent email to
customers warning them not open any email attac hments coming from the
firm with the .exe extension because an employee's PC had been infected.
The infected email may contain the message: "Hi [recipient name]! I
received your email and I shall send you a reply ASAP. Till then, take a
look at the attached zipped docs. bye."
Unlike the Melissa virus, which harvested from a user's address book, the
new virus raids an email in-box when executed through Microsoft Exchange
or Outlook. The worm attaches itself as a file called zip_files.exe and is
sent off with a return email. Alt hough the virus isn't expected to spread
as quickly and to as many computers as Melissa did, it does destroy files.
"It's an .exe file posing as a Zip file," said Eric Chien, senior
researcher at the Symantec Antivirus Research Center. The worm is
particularly insidious because it searches through hard drives and
destroys files with extensions of .doc, .xls, .ppt, .c, .cpp, .h, or .asm,
he said.
Chien said that means whoever wrote the virus was targeting
corporations--seeking to destroy developers' source code, as well as
documents created using Microsoft Office applications, such as Word and
Excel.
"It singles out those files and destroys them," he said. "This hits the
local drive and the file server."
Extent of damage not known Chien said it is unclear how much damage the
virus has done. "We've received multiple reports from major corporations
in the U.S.," he said. "What we're hoping is that the initial jump on this
Sunday night will prevent it from spreading."
Panda Software said it has added free downloads for the detection and
disinfection of the virus--which it called "extremely dangerous"--on its
Web site. The company also urged people to update antivirus software.
Esther Shin, a public relations specialist at Aventail, a Seattle-based
business-to-business e-commerce firm, said two of her colleagues
encountered the virus this morning. One of them lost all the files on his
hard drive after he opened the attachment, s he added.
The email was worded to make the recipient believe that the message came
from a Microsoft employee, she said. Shin said she got a similar email but
didn't open the attachment.
"When I got hit I called all my contacts," she said.
--
Graham-John Bullers
moderator of alt.2600.moderated
email : re...@freenet.edmonton.ab.ca | ab...@freenet.toronto.on.ca