News

New Strain of Virus Detected

A new variant of the Trojan ExploreZip virus was discovered today. Fixes have been posted on the sites of the three main anti-virus companies, Trend Micro (www.antivirus.com), Symantec (www.symantec.com), and Network Associates Inc. (www.nai.com). The variant, known as TROJ_EXPZIPWMPAK, is identical to the original ExploreZip worm in that it is auto-spamming malicious code that destroys data on the infected system. The only significant difference between this variant of the worm and the original is that the variant is compressed with a different type of compression format, thereby evading standard anti-virus software and protection for the original worm. TROJ_EXPZIPWMPAK attacks Windows 95, 98, and NT systems.

Finjan Software (www.finjan.com) claims that its First-Strike Security software blocks the worm before it has a chance to evade traditional anti-virus software.

TROJ_EXPZIPWMPAK e-mails itself out as an attachment under the filename "zipped_files.exe." The subject line of the e-mail varies. The body of the e-mail message occasionally contains the following text:

Hi <Recipient Name>!
I received your email and I shall send you a
reply ASAP.
Till then, take a look at the attached zipped
docs.
Bye (This salutation varies between Bye, Sincerely, and All)

After a user clicks on the attachment, the variant searches hard drives C: through Z:, selecting the Microsoft Word, Excel, and PowerPoint files as well as source code files used by programmers including C++, C, and Assembler sources files, and reduces their file size to zero, making the data unrecoverable. When executed, TROJ_EXPZIPWMPAK utilizes MAPI-enabled e-mail systems to automatically reply to any subsequently received e-mail messages. The e-mail reply will include the infected attachment with the message shown above. It will use the subject line of the received e-mail when it replies.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

comments powered by Disqus
Most   Popular