'July Killer' virus
may hit Today

The original version of this story didn't note that the virus so far seems to be primarily affecting users running the Chinese-language version of Windows. An antivirus vendor that has posted a warning about the virus says "Unless users are running Chinese Windows or frequently exchange word documents with Chinese Windows users, this virus is not considered an immediate threat."

A computer virus dubbed July Killer is expected to strike July 1. Active only during July, it will infect Microsoft Corp.'s Word 97 documents via a Visual Basic macro, according to antivirus specialists.

"The virus was discovered only recently and has a destructive payload," said Michael Lai, a system engineer at Trend Micro Inc. in Hong Kong. "It can wipe out the hard disk's contents." "It is fierce because when an infected document is opened, it will first infect the global template, normal.dot, and thus opening other documents would lead to infection as well," Lai said.

During July, users who open an infected Word document will see a dialog box entitled "A wake up call for the generation." If the user clicks the OK button, a message will appear that says, "You are wise, please choose this again later. Congratulations." If the user chooses the "cancel" button three times, another message appears: "Stop it! You are so incurable to lose three chances! Now, god will punish you."

The virus will then open the autoexec.bat file and add the command line "deltree/y c:\" to the file. The next time the user boots the machine, all files in the hard disk will be deleted, according to Lai. He noted that users who have updated their systems recently will likely have the current fix for July Killer and should be safe. "Users who don't renew their antivirus software regularly are vulnerable," Lai warned.

New 'Trojan Horse' strain may go mainstream

computer virus

A new variety of "Trojan Horse" that broadcasts victims' files on the Internet is making its way into the mainstream, antivirus vendors warn.  While the strain compares to the Melissa and Explore.Zip worms in that it uses e-mail systems for self-perpetuation, it differs in its ability to broadcast the information from a victim's hard drive to Internet Relay Chat (IRC) channels around the world.

An IRC channel might be described as the Internet equivalent of citizens band radio, according to experts. Hundreds of IRC channels on numerous subjects are hosted across the Internet. "This type of virus is best for targeted attacks," said Dan Schrader, vice president of new technologies at Cupertino, Calif.-based Trend Micro Inc. "If it happens to get on the machine of someone with lots of confidential information, there are huge privacy implications.''

For example, confidential company information about acquisitions, initial public offerings or income sources could end up available to anyone on the Internet, he said. Viruses that employ IRC as a means to retrieve victims' information have been around for about two years, Schrader said. But the first to hit the mainstream -- what virus experts call moving from a laboratory to being released "into the wild" -- was the PrettyPark virus, which debuted in France earlier this month.

PrettyPark spreads itself via an e-mail attachment bearing the icon of a character from South Park, a popular cartoon series. Once opened, the virus takes sensitive system information, such as user passwords, and posts it on multiple IRC channels. Fortunately, PrettyPark seems contained inside France because its mechanism for e-mail-based self-perpetuation isn't very good, Schrader said.

"But this is sure a sign of things to come,'' he warned. ``And it's starting to really hit home for security professionals.'' According to Schrader, information technology shops have long relied on encryption and firewalls to protect highly sensitive information. But if someone gets your passwords and seems to be coming from a trusted source, encryption and firewalls can be thwarted, he said.

Schrader said the best defense against Trojan Horse e-mail viruses is end-user education -- and, of course, updated virus-scanning software. Companies should also consider developing broad policies related to e-mail attachments. For instance, companies might consider banning attachments containing macros.

"Everyone needs to think before opening attachments," advised Richard Jacobs, president of Sophos Inc., a data security company in Woburn, Mass. "Viruses can't exist in the text of an e-mail, so they don't get the chance to operate unless they're launched." This attack can put corporations at risk because telecommuters often fail to regularly update their antivirus software, said Sal Viveros, group marketing manager for total virus defense at Network Associates Inc.(NAI) in Santa Clara, Calif.

"As more and more people telecommute, that is the hardest group to keep updated and control [via] security policies [given that] remote users don't necessarily log in every day," Viveros said. NAI's Enterprise SecureCast technology pushes updates of the company's antivirus software such as VirusScan and CyberCop to users' desktops when they log on to company networks.

"If you have a valuable asset on your laptop or home machine, you should be worried about this attack," said Fred Rica, a partner at Deloitte & Touche's attack and penetration service line. Information technology managers should be concerned. Viveros said there's a growing number of remote access Trojan programs sent via e-mail that can open the backdoor to a user's PC and gather log-ins and passwords to company intranets. "It is much easier to get a remote access Trojan into a company than break down a firewall," Viveros said.

PrettyPark enters a user's system as a Trojan horse when Windows users open an attached e-mail file named PrettyPark. Unknown to users, the worm connects their PC to a custom IRC channel when they are logged on to a remote server while surfing the Web or reading e-mail. Once connected to an IRC, the creator of the custom channel or his robot program can download the victim's files, passwords, log-in data, operating system preferences and other personal information -- including stored credit-card numbers.

PrettyPark also sends duplicate files of itself to the e-mail addresses listed in the user's Internet address book. Antivirus software firms say they're trying to determine who's collecting this information. The worm has mostly attacked home users who are less likely to update antivirus software or use firewalls that block IRC traffic, according to Carey Nachenburg, chief researcher at Symantec Corp.'s antivirus research center in Cupertino, Calif.

Products Header

McAfee LATEST .DAT FILE:
4.0 4032

VirusScan -- McAfee's VirusScan is an excellent utility for catching any viruses that may be hiding out in the darkest recesses of your hard drive. Its graphical interface is both visually appealing and intuitive. VirusScan's VShield component can run in the background, allowing you to continue working on other projects while it does its job. VirusScan's on-line help documentation provides useful insight into the program's many options. These options include the ability to configure the level of scanning desired, the ability to keep and/or print an activity log, and several additional user-configurable preferences.

The latest release of VirusScan, Version 4.x, diverges radically from previous releases -- not so much externally as internally. The biggest change is in the virus scanning engine itself. The Dr. Solomon's virus scanning engine is at the heart of VirusScan 4.x, replacing the various engines used in earlier releases of VirusScan. Because the previous scanning engines and the new Dr. Solomon's scanning engine identify and classify viruses in different ways, the virus definition updates (DAT files) for earlier releases of VirusScan will not work on the 4.x releases; conversely, the DAT files for v4.x and above will not work on earlier releases of VirusScan.

The VShield component of VirusScan has also been expanded in the latest release with the addition of three new network- and Internet-specific modules. The new E-Mail Scan module detects viruses in e-mail attachments that are sent over your internal network mail system. The Download Scan module monitors e-mail received over the Internet as well as downloaded files. Finally, the Internet Filter module detects and protects you against hostile Java applets and ActiveX Controls. The filter module can also be used to block access to specific Web sites.

The interface for VShield has been redesigned to group the configuration options for all four of the modules (the three new ones plus the existing System Scan module) and a configuration wizard has been designed to get you up and running quickly with the most common scanning options. The new release also sports a revamped VShield Security module that allows you to protect the individual properties for any VShield module against unauthorized changes.

The most recent releases of VirusScan also support virus detection and removal of polymorphic and macro viruses (including Office97 viruses) using enhanced heuristic scanning technology. Additional features in these releases include ZIP file scanning, an Emergency Disk creation utility, activity log reports, compressed file scanning support (ZIPs, CABs, etc.), and ScanPM (a command-line scanner that operates in protected mode environments like DOS). All in all, VirusScan is arguably the best virus scanner in the industry.

Pros: Easy to use, scans in the background, cool interface, advanced virus scanning engine
Cons: The older releases (v2.5.x) do not remove (or scan) viruses as well as other scanners

New in v3.2.0: Improved Command Line components, more effective cleaning for MS Excel files infected with the Laroux virus, detection of macro viruses in MS Access database files, compressed file scanning support (ZIPs, CABs, etc.), improved detection technology for polymorphic viruses, scanning support for LS-120 floppy drives, Desktop Management Interface (DMI) alerts, scanning support for files embedded within MS Office files and for password-protected MS Word files; v3.2.0 includes the v3108 DAT (August '98); Release Notes

New in v4.0.x: Dr Solomon's virus scanning engine; new VShield System Scan modules -- E-Mail Scan, Internet Filter (detects hostile Java applets and ActiveX Controls), and Download Scan modules; enhanced heuristic scanning technology, revamped VShield Security module, new versions of VirusScan Command Line components, specialized scanners for protecting MAPI-based and cc:Mail e-mail systems; Release Notes

New for June DAT 3206: Detection of 26 and removal of 19 new viruses, including detection and removal for the new W32/EXPLOREZIP.WORM -- the "ExploreZip" worm; complete list Note: This DAT file will only work with VScan v3.x - do not install it with the new v4.x releases

New for June DAT 4031: Detection of 52 new viruses (bringing total to 44,600+), including detection and removal for the new W32/EXPLOREZIP.WORM -- the "ExploreZip" worm; detects 130 hostile Java classes and 6 hostile ActiveX controls; complete list
Note: This DAT file will only work with VScan v4.x - do not install it with earlier releases

W32/ExploreZip.worm

Worm.ExploreZip

Virus Name: Worm.ExploreZip
Aliases: W32.ExploreZip Worm
Infection Length: 210,432 bytes
Area of Infection: Windows System directory, Email Attachments
Likelihood: Common
Detected as of: June 6, 1999
Characteristics: Worm, Trojan Horse

Overview:

Worm.ExploreZip contains a very malicious payload. Worm.ExploreZip utilizes Microsoft Outlook, Outlook Express, and Microsoft Exchange to mail itself out by replying to unread messages in your Inbox. The payload of the worm will destroy any file with the extension .h, .c, .cpp, .asm, .doc, .ppt, or .xls on your hard drive(s), as well as any mapped drives, each time it is executed. The worm will also search the mapped drives for Windows installations and copy itself to the Windows directory, and then modify the WIN.INI file. This will infect systems without e-mail clients. This continues to occur until the worm is removed.

You may receive this worm as a file attachment named "zipped_files.exe". When run, this executable will copy itself to your Windows System directory with the filename "Explore.exe", or your Windows directory with the filename "_setup.exe". The worm modifies your WIN.INI or registry such that the "Explore.exe" file is executed each time you start Windows.  Worm.ExploreZip was first discovered in Israel and submitted to the Symantec AntiVirus Research Center on June 6, 1999.

Technical Description:
Worm.ExploreZip utilizes MAPI commands and Microsoft Outlook/Outlook Express/Microsoft Exchange on Windows 9x and NT systems to propagate itself. The worm e-mails itself out as an attachment with the filename "zipped_files.exe" in reply to unread messages it finds in your Inbox. Thus, the e-mail message may appear to come from a known e-mail correspondent in response to a previously sent e-mail. The e-mail contains the following text:

Hi  Recipient Name!

I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
bye
or  sincerely Recipient Name

The worm also copies itself to the Windows System (System32 on Windows NT) directory with the filename "Explore.exe" or "_setup.exe", and modifies the WIN.INI file (Windows 9x) or the registry (on Windows NT). This results in the program being executed each time Windows is started. You may find this file under your Windows Temporary directory or your attachments directory, depending on the e-mail client you are using. E-mail clients will often temporarily store e-mail attachments in these directories under different temporary names. The worm will continue to search through your Inbox as long as it is still running in memory. Thus, any new messages that are received will be replied to in the above manner.

Payload:
In addition, when Worm.ExploreZip is executed, it searches drives C through Z of your computer system and selects a series of files to destroy based on file extensions (including .h, .c, .cpp, .asm, .doc, .xls, .ppt) by calling CreateFile, and making them 0 bytes long. You may notice extended hard drive activity when this occurs. This can result in non-recoverable data. This payload routine continues to happen while the worm is active on the system. Thus, any newly created files matching the extensions list will be destroyed as well.

New virus spills your beans


A new strain of computer virus could distribute your highly confidential documents all over the Internet. Anti-virus developers are warning that they cannot develop an antidote until the virus appears. Far from destroying vital files, the virus will make sure everyone can see them.

The new virus is expected to be a variant of either Melissa or the Explore.Zip worm, both of which have cost businesses millions in recent weeks. Both Melissa and the Explore.Zip worm rely on people opening email attachments. Once into the computer the virus sends a message to everyone in the victim's in-box and then destroys every file written in Microsoft Word, Excel or Powerpoint, among others.

New virus on the block
One variant has already appeared. PrettyPark replicates itself by sending copies to everyone in the victim's address book. It waits silently until the victim is on the Internet, then sends lists of the victim's user names, password files and address lists to Internet Relay Chat channels. Anti-virus developers are expecting the next step to be a virus which roots around in your files and then posts your documents across the Internet.

"The virus wouldn't be able to tell which of your documents are secret. It might just post your shopping list, or it could be a highly sensitive company document. "What's more, it would appear as if you sent it," says Graham Cluley of Sophos Anti-Virus. Several anti-virus makers already have an answer to PrettyPark. But they cannot build a defense against future variants until they encounter them.

Java and ActiveX - next infection target
It is predicted that the next generation of viral infections will hit small Web page programs called applets, written in Java and ActiveX. A recent survey revealed that more than half of medium-sized organizations using an intranet had no security policy in place to respond to the threat of attacks on Java applets.

Recent estimates indicate that Melissa, Explore.Zip and other malicious attacks have cost US business $7.6bn this year alone. The viruses cannot infect Macintosh or Unix systems.

The Friendly Virus

Melissa wreaked havoc—and big trouble for its author—but some e-mail chains can spread smiles and money.

A digital contagion has brought John Sculley to his knees. The former head of Apple Computer is kneeling at the side of Eyal Gever and watching the 28-year-old founder of an Israeli start-up called Zapa.com demonstrate his latest software. The product, dubbed Gizmoz, allows people to create electronic greeting cards, photo albums and other digital doodads with sound, animation and pictures. The special sauce: with the click of a button, the creations can be e-mailed to a friend, who can, in turn, make gizmos of his own. Sculley, whose investment company owns a stake in Zapa.com, can barely sit still, fetching Gever beverages, scrawling notes and whispering in people's ears. "Of the 23 companies we've invested in," he says, "this is by far the most exciting."

What's made Sculley so feverish is a form of computer virus. But this strain is friendly. Called "viral marketing," it's the trick of getting customers to propagate a product on behalf of the company that creates it. One of the cheapest and most effective Internet marketing schemes ever, viral marketing allows even the motliest start-ups to gain a worldwide audience. This week, in what Zapa hopes will be a highly infectious digital sneeze, the company plans to unleash its Gizmoz publishing service with dreams of having it spread faster on the Internet than the Melissa virus or Monica jokes.

Suddenly it seems that all sorts of Net companies have gone viral, from software developers and game makers to e-mail firms. When they play the word-of-mouse game right, they can experience exponential growth. Hotmail, a free e-mail service, affixed a little advertisement to every missive its users sent, thereby making every user a salesperson. Within a year, Hotmail had a whopping 5 million subscribers. The company reportedly spent only $500,000 on marketing compared with the $16 million a rival shelled out for only 6.8 million users. Now Hotmail has 35 million users and has been sold to Microsoft for more than $400 million. Hasbro Interactive lets users download games like Scrabble and forward them, along with their move, to any user with an e-mail address. Recipients can play for free—but to start a new game, they must purchase the software online. Catchy.

The most potent marketing viruses are forming in Israel. Topping the list is a service called ICQ ("I seek you"), a little piece of software by a company called Mirabilis that lets users see when their friends are logged on and initiate real-time chat sessions. If Grandma doesn't have the program, click on a little button, fill out her e-mail address, and a link to download the software will land right in her mailbox. Today, 90,000 people sign up for the ICQ service each day, and the chat software boasts a colossal audience of 32 million users.

Had the software been conventionally marketed, it might not have made it off store shelves. "We never spent a penny on conventional marketing," says Yossi Vardi, one of the driving forces behind Mirabilis and viral marketing. "We never made one either." No matter. Seeing money in the size of the ICQ audience, AOL bought the company for $400 million last year. Now AOL is shepherding ICQ gingerly so as not to disrupt the service's grass-roots swell. "The less you do, the more it grows," says AOL's Ted Leonsis. "This is a phenomenon like we've never seen."

The growth has been driven by users like Jeneen Rothstein, a 62-year-old secretary in Moses Lake, Wash. Three years ago she and other Yorkshire terrier owners she had met on the Web communicated via e-mail, but that was awkward and slow. Then she heard about ICQ from a friend and downloaded a copy. She liked it and suggested her friends try it. Suddenly, a little network of chatty Yorkie masters was born.

Now Gever is trying to replicate the success of ICQ, which was developed by a group of his former employees. His idea for Gizmoz was born out of an intersection of experiences with the Israeli Army and Pottery Barn. While in the military, he wrote software simulations for battle training, getting a good background in 3-D graphics. At 23, Gever started Zapa.com and developed 3-D photorealistic technology that caught the attention of several blue-chip tech companies. Last year, during a visit to New York, he dropped into a Pottery Barn to pick up picture frames for snapshots of his newborn. "It hit me," he says. Browsing the store, he conceived of developing a huge collection of digital designs that would help people furnish their home pages and text messages, their chat communications and greeting cards.

Easy publishing services already abound on the Internet. But Zapa.com will take Gizmoz much further. Supplementing its trove of animation, sound and templates, the company will soon allow users to paste Gizmoz anywhere: online guest books, home pages, message boards. Soon, the company plans to spruce up Gizmoz so that when the author makes a change, all the copies of the Gizmo—no matter where they are on the Net—will change with it. Eventually, people will be able to pump music and video through their Gizmoz and "become a DJ of their own Gizmo network," says Gever.

So how will they make money? Like Mirabilis, by building an audience so advertisers will come. Each Gizmo has space for an ad, and Zapa.com can give advertisers detailed demographic information to allow them to better target their pitches. If Gizmo viewers actually click and buy something, Zapa.com can get a cut of the transaction. To build the audience, Zapa.com has hired a band of evangelists-people of every stripe with specific interests—who are expanding their spheres of online friends in chat rooms, on message boards and other Web neighborhoods. Think of them as carriers—albeit friendly ones—among us.