It was not immediately clear how far the "Worm.ExploreZip" program - which replicates itself by commandeering Microsoft Outlook on Windows systems - had spread since it was reported to Symantec Corp.'s AntiVirus Research Center on Sunday.
Carnegie Mellon University's Computer Emergency Response Team had not received any reports of the worm as of early Thursday, but it was causing havoc with e-mail at Microsoft, NBC and General Electric (MSNBC is a joint venture of Microsoft and NBC).
System administrators at GE shut down the company's e-mail system in an attempt to isolate the worm.
How the worm works
Symantec (Nasdaq:SYMC) said the worm, which was first discovered in Israel, e-mails itself as an attachment with the file name "zipped_files.exe."
The body of the message, which scans the "Inbox" to harvest addresses of e-mail correspondents, reads:
"Hi (recipient's name)!
"I received your e-mail and I shall send you a reply ASAP.
"Till then, take a look at the attached zipped docs.
"Bye."
According to an advisory posted by Symantec, users who receive such a message should delete it without opening it, then empty the deleted items file.
System file modified
If the file is executed on a Windows 9x system, the worm copies itself to the c:\windows\system directory with the filename "Explore.exe" and then modifies the WIN.INI file so that the program is executed each time Windows is started, the advisory says.
The worm then utilizes the infected computer's e-mail client to harvest e-mail addresses in order to propagate itself.
In addition, when Worm.ExploreZip is executed, it also searches through the C through Z drives of your computer system and selects a series of files of any file extension to destroy by making them 0 bytes long.
This can result in non-recoverable data and/or computer system, the Symantec advisory warns.
How to get rid of it
If your computer is infected, security software company Network Associates recommends these steps to remove it:
If you're running Windows 95 or 98:
Restart your computer in MS-DOS mode, edit the WIN.INI file and remove the line run=c:\windows\system\explore.exe. Then delete the file "c:\windows\system\explore.exe" and restart Windows.
If you're running Windows NT:
Run REGEDIT (not REGEDT32) and locate the hive [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows] and remove the following key: "run"="C:\\WINNT\\System32\\Explore.exe"
Restart Windows NT, then remove the file "c:\winnt\system32\Explore.exe"
Disguised as e-mail from an acquaintance, a malicious computer "worm" capable of destroying data on infected machines was spreading Thursday, forcing at least a handful of businesses to shut down their e-mail systems.
It was not immediately clear how far the "Worm.ExploreZip" program - which replicates itself by commandeering Microsoft Outlook on Windows systems - had spread since it was reported to Symantec Corp.'s AntiVirus Research Center on Sunday.
Carnegie Mellon University's Computer Emergency Response Team had not received any reports of the worm as of early Thursday, but it was causing havoc with e-mail at Microsoft, NBC and General Electric (MSNBC is a joint venture of Microsoft and NBC).
System administrators at GE shut down the company's e-mail system in an attempt to isolate the worm.
How the worm works
Symantec (Nasdaq:SYMC) said the worm, which was first discovered in Israel, e-mails itself as an attachment with the file name "zipped_files.exe."
The body of the message, which scans the "Inbox" to harvest addresses of e-mail correspondents, reads:
"Hi (recipient's name)!
"I received your e-mail and I shall send you a reply ASAP.
"Till then, take a look at the attached zipped docs.
"Bye."
According to an advisory posted by Symantec, users who receive such a message should delete it without opening it, then empty the deleted items file.
System file modified
If the file is executed on a Windows 9x system, the worm copies itself to the c:\windows\system directory with the filename "Explore.exe" and then modifies the WIN.INI file so that the program is executed each time Windows is started, the advisory says.
The worm then utilizes the infected computer's e-mail client to harvest e-mail addresses in order to propagate itself.
In addition, when Worm.ExploreZip is executed, it also searches through the C through Z drives of your computer system and selects a series of files of any file extension to destroy by making them 0 bytes long.
This can result in non-recoverable data and/or computer system, the Symantec advisory warns.
How to get rid of it
If your computer is infected, security software company Network Associates recommends these steps to remove it:
If you're running Windows 95 or 98:
Restart your computer in MS-DOS mode, edit the WIN.INI file and remove the line run=c:\windows\system\explore.exe. Then delete the file "c:\windows\system\explore.exe" and restart Windows.
If you're running Windows NT:
Run REGEDIT (not REGEDT32) and locate the hive [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows] and remove the following key: "run"="C:\\WINNT\\System32\\Explore.exe"
Restart Windows NT, then remove the file "c:\winnt\system32\Explore.exe"
No comments:
Post a Comment