LL-L: "Virus" [E] LOWLANDS-L, 11.JUN.1999 (04)

Lowlands-L Administrator sassisch at geocities.com
Fri Jun 11 14:32:44 UTC 1999 

 ==========================================================================
 L O W L A N D S - L * 11.JUN.1999 (04) * ISSN 1089-5582 * LCSN 96-4226
 Posting Address: <lowlands-l at listserv.linguistlist.org>
 Web Site: <http://www.geocities.com/~sassisch/rhahn/lowlands/>
 User's Manual: <http://www.lsoft.com/manuals/1.8c/userindex.html>
 ==========================================================================
 You have received this because your account has been subscribed upon
 request. To unsubscribe, please send the command "signoff lowlands-l"
 as message text from the same account to
 <listserv at listserv.linguistlist.org> or sign off at
 <http://linguistlist.org/subscribing/sub-lowlands-l.html>.
 ==========================================================================

From: Ted Harding <Ted.Harding at nessie.mcc.ac.uk>
Subject: Virus Alert

Folks,

The following, whose discovery was announced yesterday, is a genuine (and
nasty) email virus especially likely to affect people using Windows and
Outlook, Outlook Express, Exchange and Netscape Mail, though other email
clients could also be vulnerable. Quote from

  http://www.avertlabs.com/public/datafiles/valerts/vinfo/va10185.asp

=====================================================================
TOP STORIES
W32/ExploreZip.worm

Characteristics:
This is a 32bit Worm that travels by sending email messages to users. It
drops the file explore.exe and modifies either the WIN.INI (Win9x) or
modifies the registry (WinNT).

This worm attempts to invoke the MAPI aware email applications as in MS
Outlook, MS Outlook Express, MS Exchange and confirmed in Netscape-mail.
This worm replies to messages received with an email message with the
following body:

  I received your email and I shall send you a reply ASAP.
  Till then, take a look at the attached zipped docs.

The subject line is not constant as the message is a reply.  The worm
(named "zipped_files.exe") is attached, with a file size of 210,432 bytes.
The file has a Winzip icon which is designed to fool unsuspecting users to
run it as a self-extracting file. User who run this attachment will be
presented with a fake error message that says

  "Cannot open file: it does not appear to be a valid
  archive. If this file is part of a ZIP format backup set,
  insert the last disk of the backup set and try again.
  Please press F1 for help."

The Worm has a payload; immediately after execution it will search all
mapped drives for the following file types, and when it finds them, it
will erase their contents and the file will be zero bytes:

  .c, .cpp, .h, .asm, .doc, .xls, or .ppt

Discovery/Added Date: June 9, 1999
DAT Included: 4030
Type: Worm
Risk Assessment: High

Removal of this worm
Win9x-
Restart to MS-DOS mode, edit the WIN.INI and remove the listing
run=c:\windows\system\explore.exe Then delete the file
"c:\windows\system\explore.exe" and restart Windows.

WinNT-
This worm runs as a process in WinNT Task Manager as "explore". You may
experience high CPU utilization prior to ending this process. Run REGEDIT
(not REGEDT32) and locate the hive
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
and remove the following key "run"="C:\\WINNT\\System32\\Explore.exe"
Restart Windows NT, then remove the file "c:\winnt\system32\Explore.exe"

Special detection and remover for MicroSoft Exchange Server Click here for
McAfee VirusScan Command Line Anti-Virus Software v1.0.1 for Microsoft
Exchange. Click here for readme.

© 1998, Network Associates, Inc. and its affiliated
Companies. All Rights Reserved.
=====================================================================

Best wishes to all,
Ted.

--------------------------------------------------------------------
E-Mail: (Ted Harding) <Ted.Harding at nessie.mcc.ac.uk>
Date: 11-Jun-99                                       Time: 10:15:08
------------------------------ XFMail ------------------------------

==================================END=======================================
 * Please submit contributions to <lowlands-l at listserv.linguistlist.org>.
 * Contributions will be displayed unedited in digest form.
 * Please display only the relevant parts of quotes in your replies.
 * Commands for automated functions (including "signoff lowlands-l") are to
   be sent to <listserv at listserv.linguistlist.org> or at
   <http://linguistlist.org/subscribing/sub-lowlands-l.html>.
 * Please use only Plain Text format, not Rich Text (HTML) or any other
   type of format, in your submissions
 ========================================================================

More information about the LOWLANDS-L mailing list