'July Killer' virus
may hit Today
The original
version of this story didn't note that the virus so far
seems to be primarily affecting users running the
Chinese-language version of Windows. An antivirus vendor
that has posted a warning about the virus says "Unless
users are running Chinese Windows or frequently exchange
word documents with Chinese Windows users, this virus is not
considered an immediate threat."
A computer virus dubbed July Killer is
expected to strike July 1. Active only during July, it will
infect Microsoft Corp.'s Word 97 documents via a Visual
Basic macro, according to antivirus specialists.
"The virus was discovered only
recently and has a destructive payload," said Michael
Lai, a system engineer at Trend Micro Inc. in Hong Kong.
"It can wipe out the hard disk's contents."
"It is fierce because when an infected document is
opened, it will first infect the global template, normal.dot,
and thus opening other documents would lead to infection as
well," Lai said.
During July, users who open an infected
Word document will see a dialog box entitled "A wake up
call for the generation." If the user clicks the OK
button, a message will appear that says, "You are wise,
please choose this again later. Congratulations." If
the user chooses the "cancel" button three times,
another message appears: "Stop it! You are so incurable
to lose three chances! Now, god will punish you."
The virus will then open the autoexec.bat
file and add the command line "deltree/y c:\" to
the file. The next time the user boots the machine, all
files in the hard disk will be deleted, according to Lai. He
noted that users who have updated their systems recently
will likely have the current fix for July Killer and should
be safe. "Users who don't renew their antivirus
software regularly are vulnerable," Lai warned.
New 'Trojan Horse' strain
may go mainstream

A new variety of "Trojan Horse"
that broadcasts victims' files on the Internet is making its
way into the mainstream, antivirus vendors warn. While the strain compares to the Melissa and
Explore.Zip worms in that it uses e-mail systems for
self-perpetuation, it differs in its ability to broadcast
the information from a victim's hard drive to Internet Relay
Chat (IRC) channels around the world.
An IRC channel might be described as the
Internet equivalent of citizens band radio, according to
experts. Hundreds of IRC channels on numerous subjects are
hosted across the Internet. "This type of virus is best
for targeted attacks," said Dan Schrader, vice
president of new technologies at Cupertino, Calif.-based
Trend Micro Inc. "If it happens to get on the machine
of someone with lots of confidential information, there are
huge privacy implications.''
For example, confidential company
information about acquisitions, initial public offerings or
income sources could end up available to anyone on the
Internet, he said. Viruses that employ IRC as a means to
retrieve victims' information have been around for about two
years, Schrader said. But the first to hit the mainstream --
what virus experts call moving from a laboratory to being
released "into the wild" -- was the PrettyPark
virus, which debuted in France earlier this month.
PrettyPark spreads itself via an e-mail
attachment bearing the icon of a character from South Park,
a popular cartoon series. Once opened, the virus takes
sensitive system information, such as user passwords, and
posts it on multiple IRC channels. Fortunately, PrettyPark
seems contained inside France because its mechanism for
e-mail-based self-perpetuation isn't very good, Schrader
said.
"But this is sure a sign of things
to come,'' he warned. ``And it's starting to really hit home
for security professionals.'' According to Schrader,
information technology shops have long relied on encryption
and firewalls to protect highly sensitive information. But
if someone gets your passwords and seems to be coming from a
trusted source, encryption and firewalls can be thwarted, he
said.
Schrader said the best defense against
Trojan Horse e-mail viruses is end-user education -- and, of
course, updated virus-scanning software. Companies should
also consider developing broad policies related to e-mail
attachments. For instance, companies might consider banning
attachments containing macros.
"Everyone needs to think before
opening attachments," advised Richard Jacobs, president
of Sophos Inc., a data security company in Woburn, Mass.
"Viruses can't exist in the text of an e-mail, so they
don't get the chance to operate unless they're
launched." This attack can put corporations at risk
because telecommuters often fail to regularly update their
antivirus software, said Sal Viveros, group marketing
manager for total virus defense at Network Associates
Inc.(NAI) in Santa Clara, Calif.
"As more and more people
telecommute, that is the hardest group to keep updated and
control [via] security policies [given that] remote users
don't necessarily log in every day," Viveros said.
NAI's Enterprise SecureCast technology pushes updates of the
company's antivirus software such as VirusScan and CyberCop
to users' desktops when they log on to company networks.
"If you have a valuable asset on
your laptop or home machine, you should be worried about
this attack," said Fred Rica, a partner at Deloitte
& Touche's attack and penetration service line.
Information technology managers should be concerned. Viveros
said there's a growing number of remote access Trojan
programs sent via e-mail that can open the backdoor to a
user's PC and gather log-ins and passwords to company
intranets. "It is much easier to get a remote access
Trojan into a company than break down a firewall,"
Viveros said.
PrettyPark enters a user's system as a
Trojan horse when Windows users open an attached e-mail file
named PrettyPark. Unknown to users, the worm connects their
PC to a custom IRC channel when they are logged on to a
remote server while surfing the Web or reading e-mail. Once
connected to an IRC, the creator of the custom channel or
his robot program can download the victim's files,
passwords, log-in data, operating system preferences and
other personal information -- including stored credit-card
numbers.
PrettyPark also sends duplicate files of
itself to the e-mail addresses listed in the user's Internet
address book. Antivirus software firms say they're trying to
determine who's collecting this information. The worm has
mostly attacked home users who are less likely to update
antivirus software or use firewalls that block IRC traffic,
according to Carey Nachenburg, chief researcher at Symantec
Corp.'s antivirus research center in Cupertino, Calif.

McAfee
LATEST .DAT FILE:
4.0 4032
VirusScan
-- McAfee's VirusScan is an excellent utility for catching
any viruses that may be hiding out in the darkest recesses
of your hard drive. Its graphical interface is both visually
appealing and intuitive. VirusScan's VShield component can
run in the background, allowing you to continue working on
other projects while it does its job. VirusScan's on-line
help documentation provides useful insight into the
program's many options. These options include the ability to
configure the level of scanning desired, the ability to keep
and/or print an activity log, and several additional
user-configurable preferences.
The latest release of VirusScan, Version
4.x, diverges radically from previous releases -- not so
much externally as internally. The biggest change is in the
virus scanning engine itself. The Dr. Solomon's virus
scanning engine is at the heart of VirusScan 4.x, replacing
the various engines used in earlier releases of VirusScan.
Because the previous scanning engines and the new Dr.
Solomon's scanning engine identify and classify viruses in
different ways, the virus definition updates (DAT files) for
earlier releases of VirusScan will not work on the 4.x
releases; conversely, the DAT files for v4.x and above will
not work on earlier releases of VirusScan.
The VShield component of VirusScan has
also been expanded in the latest release with the addition
of three new network- and Internet-specific modules. The new
E-Mail Scan module detects viruses in e-mail attachments
that are sent over your internal network mail system. The
Download Scan module monitors e-mail received over the
Internet as well as downloaded files. Finally, the Internet
Filter module detects and protects you against hostile Java
applets and ActiveX Controls. The filter module can also be
used to block access to specific Web sites.
The interface for VShield has been
redesigned to group the configuration options for all four
of the modules (the three new ones plus the existing System
Scan module) and a configuration wizard has been designed to
get you up and running quickly with the most common scanning
options. The new release also sports a revamped VShield
Security module that allows you to protect the individual
properties for any VShield module against unauthorized
changes.
The most recent releases of VirusScan
also support virus detection and removal of polymorphic and
macro viruses (including Office97 viruses) using enhanced
heuristic scanning technology. Additional features in these
releases include ZIP file scanning, an Emergency Disk
creation utility, activity log reports, compressed file
scanning support (ZIPs, CABs, etc.), and ScanPM (a
command-line scanner that operates in protected mode
environments like DOS). All in all, VirusScan is arguably
the best virus scanner in the industry.
Pros: Easy to use, scans in the
background, cool interface, advanced virus scanning engine
Cons: The older releases (v2.5.x) do not remove (or
scan) viruses as well as other scanners
New in v3.2.0:
Improved Command Line components, more effective cleaning
for MS Excel files infected with the Laroux virus, detection
of macro viruses in MS Access database files, compressed
file scanning support (ZIPs, CABs, etc.), improved detection
technology for polymorphic viruses, scanning support for
LS-120 floppy drives, Desktop Management Interface (DMI)
alerts, scanning support for files embedded within MS Office
files and for password-protected MS Word files; v3.2.0
includes the v3108 DAT (August '98); Release
Notes
New in v4.0.x:
Dr Solomon's virus scanning engine; new VShield System Scan
modules -- E-Mail Scan, Internet Filter (detects hostile
Java applets and ActiveX Controls), and Download Scan
modules; enhanced heuristic scanning technology, revamped
VShield Security module, new versions of VirusScan Command
Line components, specialized scanners for protecting
MAPI-based and cc:Mail e-mail systems; Release
Notes
New for June DAT
3206: Detection of 26 and removal of 19 new viruses,
including detection and removal for the new W32/EXPLOREZIP.WORM
-- the "ExploreZip" worm; complete
list Note: This DAT file will only work
with VScan v3.x - do not install it with the new v4.x
releases
New for June DAT 4031: Detection
of 52 new viruses (bringing total to 44,600+), including
detection and removal for the new W32/EXPLOREZIP.WORM -- the
"ExploreZip" worm; detects 130 hostile Java
classes and 6 hostile ActiveX controls; complete
list
Note: This DAT file will only work with VScan
v4.x - do not install it with earlier releases |
Worm.ExploreZip
Virus Name: |
Worm.ExploreZip |
Aliases: |
W32.ExploreZip
Worm |
Infection Length: |
210,432
bytes |
Area of Infection: |
Windows System
directory, Email Attachments |
Likelihood: |
Common |
Detected as of: |
June 6, 1999 |
Characteristics: |
Worm, Trojan
Horse |
Overview:
Worm.ExploreZip contains a very malicious
payload. Worm.ExploreZip utilizes Microsoft Outlook, Outlook
Express, and Microsoft Exchange to mail itself out by
replying to unread messages in your Inbox. The payload of
the worm will destroy any file with the extension .h, .c, .cpp,
.asm, .doc, .ppt, or .xls on your hard drive(s), as well as
any mapped drives, each time it is executed. The worm will
also search the mapped drives for Windows installations and
copy itself to the Windows directory, and then modify the
WIN.INI file. This will infect systems without e-mail
clients. This continues to occur until the worm is removed.
You may receive this worm as a file
attachment named "zipped_files.exe".
When run, this executable will copy itself to your Windows
System directory with the filename "Explore.exe",
or your Windows directory with the filename "_setup.exe". The worm
modifies your WIN.INI or registry such that the "Explore.exe" file is executed
each time you start Windows. Worm.ExploreZip was first
discovered in Israel and submitted to the Symantec AntiVirus
Research Center on June 6, 1999.
Technical Description:
Worm.ExploreZip utilizes MAPI commands and
Microsoft Outlook/Outlook Express/Microsoft Exchange on
Windows 9x and NT systems to propagate itself. The worm
e-mails itself out as an attachment with the filename "zipped_files.exe" in reply to
unread messages it finds in your Inbox. Thus, the e-mail
message may appear to come from a known e-mail correspondent
in response to a previously sent e-mail. The e-mail contains
the following text:
Hi Recipient Name!
I received your email and I shall send you a reply
ASAP.
Till then, take a look at the attached zipped docs.
bye or sincerely
Recipient Name
The worm also copies itself to the Windows System
(System32 on Windows NT) directory with the filename "Explore.exe" or "_setup.exe", and modifies the
WIN.INI file (Windows 9x) or the registry (on Windows NT).
This results in the program being executed each time Windows
is started. You may find this file under your Windows
Temporary directory or your attachments directory, depending
on the e-mail client you are using. E-mail clients will
often temporarily store e-mail attachments in these
directories under different temporary names. The worm will
continue to search through your Inbox as long as it is still
running in memory. Thus, any new messages that are received
will be replied to in the above manner.
Payload:
In addition, when Worm.ExploreZip is executed, it
searches drives C through Z of your computer system and
selects a series of files to destroy based on file
extensions (including .h, .c, .cpp, .asm, .doc, .xls, .ppt)
by calling CreateFile, and making them 0 bytes long. You may
notice extended hard drive activity when this occurs. This
can result in non-recoverable data. This payload routine
continues to happen while the worm is active on the system.
Thus, any newly created files matching the extensions list
will be destroyed as well.
New virus
spills your beans


A new strain of
computer virus could distribute your highly confidential
documents all over the Internet. Anti-virus developers are
warning that they cannot develop an antidote until the virus
appears. Far from destroying vital files, the virus will
make sure everyone can see them.
The new virus is expected to be a variant of either
Melissa or the Explore.Zip worm, both of which have cost
businesses millions in recent weeks. Both Melissa and the
Explore.Zip worm rely on people opening email attachments.
Once into the computer the virus sends a message to everyone
in the victim's in-box and then destroys every file written
in Microsoft Word, Excel or Powerpoint, among others.
New virus on the block
One variant has already appeared. PrettyPark
replicates itself by sending copies to everyone in the
victim's address book. It waits silently until the victim is
on the Internet, then sends lists of the victim's user
names, password files and address lists to Internet Relay
Chat channels. Anti-virus developers are expecting the next
step to be a virus which roots around in your files and then
posts your documents across the Internet.
"The virus wouldn't be able to tell which of your
documents are secret. It might just post your shopping list,
or it could be a highly sensitive company document.
"What's more, it would appear as if you sent it,"
says Graham Cluley of Sophos Anti-Virus. Several anti-virus
makers already have an answer to PrettyPark. But they cannot
build a defense against future variants until they encounter
them.
Java and ActiveX - next
infection target
It is predicted that the next generation of viral
infections will hit small Web page programs called applets,
written in Java and ActiveX. A recent survey revealed that
more than half of medium-sized organizations using an
intranet had no security policy in place to respond to the
threat of attacks on Java applets.
Recent estimates indicate that Melissa, Explore.Zip and
other malicious attacks have cost US business $7.6bn this
year alone. The viruses cannot infect Macintosh or Unix
systems.
The Friendly
Virus
Melissa wreaked
havocand big trouble for its authorbut some e-mail chains can
spread smiles and money.
A digital contagion has brought John
Sculley to his knees. The former head of Apple Computer is kneeling at
the side of Eyal Gever and watching the 28-year-old founder of an
Israeli start-up called Zapa.com demonstrate his latest software. The
product, dubbed Gizmoz, allows people to create electronic greeting
cards, photo albums and other digital doodads with sound, animation
and pictures. The special sauce: with the click of a button, the
creations can be e-mailed to a friend, who can, in turn, make gizmos
of his own. Sculley, whose investment company owns a stake in Zapa.com,
can barely sit still, fetching Gever beverages, scrawling notes and
whispering in people's ears. "Of the 23 companies we've invested
in," he says, "this is by far the most exciting."
What's made Sculley
so feverish is a form of computer virus. But this strain is friendly.
Called "viral marketing," it's the trick of getting
customers to propagate a product on behalf of the company that creates
it. One of the cheapest and most effective Internet marketing schemes
ever, viral marketing allows even the motliest start-ups to gain a
worldwide audience. This week, in what Zapa hopes will be a highly
infectious digital sneeze, the company plans to unleash its Gizmoz
publishing service with dreams of having it spread faster on the
Internet than the Melissa virus or Monica jokes.
Suddenly it seems
that all sorts of Net companies have gone viral, from software
developers and game makers to e-mail firms. When they play the
word-of-mouse game right, they can experience exponential growth.
Hotmail, a free e-mail service, affixed a little advertisement to
every missive its users sent, thereby making every user a salesperson.
Within a year, Hotmail had a whopping 5 million subscribers. The
company reportedly spent only $500,000 on marketing compared with the
$16 million a rival shelled out for only 6.8 million users. Now
Hotmail has 35 million users and has been sold to Microsoft for more
than $400 million. Hasbro Interactive lets users download games like
Scrabble and forward them, along with their move, to any user with an
e-mail address. Recipients can play for freebut to start a new
game, they must purchase the software online. Catchy.
The most potent
marketing viruses are forming in Israel. Topping the list is a service
called ICQ ("I seek you"), a little piece of software by a
company called Mirabilis that lets users see when their friends are
logged on and initiate real-time chat sessions. If Grandma doesn't
have the program, click on a little button, fill out her e-mail
address, and a link to download the software will land right in her
mailbox. Today, 90,000 people sign up for the ICQ service each day,
and the chat software boasts a colossal audience of 32 million users.
Had the software
been conventionally marketed, it might not have made it off store
shelves. "We never spent a penny on conventional marketing,"
says Yossi Vardi, one of the driving forces behind Mirabilis and viral
marketing. "We never made one either." No matter. Seeing
money in the size of the ICQ audience, AOL bought the company for $400
million last year. Now AOL is shepherding ICQ gingerly so as not to
disrupt the service's grass-roots swell. "The less you do, the
more it grows," says AOL's Ted Leonsis. "This is a
phenomenon like we've never seen."
The growth has been
driven by users like Jeneen Rothstein, a 62-year-old secretary in
Moses Lake, Wash. Three years ago she and other Yorkshire terrier
owners she had met on the Web communicated via e-mail, but that was
awkward and slow. Then she heard about ICQ from a friend and
downloaded a copy. She liked it and suggested her friends try it.
Suddenly, a little network of chatty Yorkie masters was born.
Now Gever is trying
to replicate the success of ICQ, which was developed by a group of his
former employees. His idea for Gizmoz was born out of an intersection
of experiences with the Israeli Army and Pottery Barn. While in the
military, he wrote software simulations for battle training, getting a
good background in 3-D graphics. At 23, Gever started Zapa.com and
developed 3-D photorealistic technology that caught the attention of
several blue-chip tech companies. Last year, during a visit to New
York, he dropped into a Pottery Barn to pick up picture frames for
snapshots of his newborn. "It hit me," he says. Browsing the
store, he conceived of developing a huge collection of digital designs
that would help people furnish their home pages and text messages,
their chat communications and greeting cards.
Easy publishing
services already abound on the Internet. But Zapa.com will take Gizmoz
much further. Supplementing its trove of animation, sound and
templates, the company will soon allow users to paste Gizmoz anywhere:
online guest books, home pages, message boards. Soon, the company
plans to spruce up Gizmoz so that when the author makes a change, all
the copies of the Gizmono matter where they are on the Netwill
change with it. Eventually, people will be able to pump music and
video through their Gizmoz and "become a DJ of their own Gizmo
network," says Gever.
So how will they
make money? Like Mirabilis, by building an audience so advertisers
will come. Each Gizmo has space for an ad, and Zapa.com can give
advertisers detailed demographic information to allow them to better
target their pitches. If Gizmo viewers actually click and buy
something, Zapa.com can get a cut of the transaction. To build the
audience, Zapa.com has hired a band of evangelists-people of every
stripe with specific interestswho are expanding their spheres of
online friends in chat rooms, on message boards and other Web
neighborhoods. Think of them as carriersalbeit friendly onesamong
us. |