I received this from my server, it is a bad one. John Bernard
----------
> From: [log in to unmask]
> To:
> Subject: Virus Alert
> Date: Friday, June 11, 1999 8:40 PM
>
> Dear N2 The Net Users:
>
> Virus Advisory --> ExploreZip Trojan Horse Program
>
>
> Systems Affected
>
> * Machines running Windows 95, Windows 98, or Windows NT.
> * Any mail handling system could experience performance problems or
> a denial of service as a result of the propagation of this Trojan
> horse program.
>
>
> There has been numerous reports of a Trojan horse program that is
> propagating in email attachments. This program is called ExploreZip.
> This Trojan horse program requires the attached zipped_files.exe
> program be ran in order install a copy of itself and enable
propagation.
>
> The body of the email message usually appears to come from a known
email
> correspondent, and may contain the following text:
>
> I received your email and I shall send you a reply ASAP.
> Till then, take a look at the attached zipped docs.
>
> The subject line of the message may not be predictable and may appear
> to be sent in reply to previous email.
>
> Opening the zipped_files.exe file causes the program to execute. At
> this time, there is conflicting information about the exact actions
> taken by zipped_files.exe when executed. One possible reason for
> conflicting information may be that there are multiple variations of
> the program being propagated, although we have not confirmed this one
> way or the other. Currently, we have the following general information
> on actions taken by the program.
>
> * The program searches local and networked drives (drive letters C
> through Z) for specific file types and attempts to erase the
> contents of the files, leaving a zero byte file. The targets may
> include Microsoft Office files, such as .doc, .xls, and .ppt, and
> various source code files, such as .c, .cpp, .h, and .asm.
> * The program propagates by replying to any new email that is
> received by an infected computer. A copy of zipped_files.exe is
> attached to the reply message.
> * The program creates an entry in the Windows 95/98 WIN.INI file:
> run=C:\WINDOWS\SYSTEM\Explore.exe
> On Windows NT systems, an entry is made in the system registry:
> [HKEY_CURRENT_USER\Software\Microsoft\Windows
> NT\CurrentVersion\Windows]
> run = "c:\winnt\system32\explore.exe"
> * The program creates a file called explore.exe in the following
> locations:
> Windows 95/98 - c:\windows\system\explore.exe
> Windows NT - c:\winnt\system32\explore.exe
> This file is a copy of the zipped_files.exe Trojan horse, and the
> file size is 210432 bytes.
> MD5 (Explore.exe) = 0e10993050e5ed199e90f7372259e44b
>
>
> In order to detect and clean current viruses you must keep your
> scanning tools up to date with the latest definition files.
>
> Please see the following anti-virus vendor resources for more
> information about the characteristics and removal techniques for the
> malicious file known as ExploreZip.
>
> Central Command
> http://www.avp.com/upgrade/upgrade.html
>
> Command Software Systems, Inc
> http://www.commandcom.com/html/virus/explorezip.html
>
> Computer Associates
> http://support.cai.com/Download/virussig.html
>
> Data Fellows
> http://www.datafellows.com/news/pr/eng/19990610.htm
>
> McAfee, Inc. (a Network Associates company)
> http://www.mcafee.com/viruses/explorezip/protecting_yourself.as
> p
>
> Network Associates Incorporated
> http://www.avertlabs.com/public/datafiles/valerts/vinfo/va10185
> .asp
>
> Sophos, Incorporated
> http://www.sophos.com/downloads/ide/index.html#explorez
>
> Symantec
> http://www.sarc.com/avcenter/download.html
>
> Trend Micro Incorporated
> http://www.antivirus.com/download/pattern.htm
>
|
