Ujabb fereg virus !

Kis Sándor dorado at freemail.c3.hu
Fri Jun 11 23:11:33 CEST 1999 

Sziasztok!


A figyelmeztetes nem a "guruknak" szol akik amugy sem
inditananak el ismeretlen csatolt programokat, de azert
persze senkinek sem kellene elbagatelizalni a dolgokat...

Idezek az MS Magyarorszag altal kuldott faxbol:

Az elmult orakban a vilag szamos reszein felbukkant
egy nagyon veszelyes virus.
A virus nagyon hasonlit a Melissa virushoz, de hatasa
visszaallithatatlan karokozas!
Kerjuk tegyen meg mindent, hogy a tovabbterjedeset
elkerulje es a sajat rendszereit megovja a problematol!

A virus terjedese soran egy On altal kikuldott e-mailre
az alabbi valaszt fogja kapni:


Hi <cimzett neve> !

I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
Sincerly
    <kuldo neve>


Amennyiben elinditja az uzenethez csatolt <zipped _files.exe>
filet, a virus aktivalodik.
Ekkor az osszes olyan halozati eroforrast, ahova elerese van,
es meghajto azonosito van hozzarendelve beleertve a helyi
gepet a virus megtamadja es atirja 0 hosszra a file-okat!

A virusrol tovabbi informacio olvashato a
http://www.sarc.com/avcenter/venc/data/worm.explore.zip.html
webcimen (szovegformatumban a level vegen)

Ez a problema fuggetlen az On altal hasznalt levelezo rendszertol!
Kerjuk, ertesitse a halozatan talalhato osszes e-mail felhasznalot.


Ennyi
(a cim jo kiprobaltam)

Udv.:
Kis Sandor


____worm.explore.zip.html___________________________________

Worm.ExploreZip
Virus Name: Worm.ExploreZip
Aliases: W32.ExploreZip Worm
Infection Length: 210,432 bytes
Area of Infection: Windows System directory, Email Attachments
Likelihood: Common
Detected as of: June 6, 1999
Characteristics: Worm, Trojan Horse

Overview:
Worm.ExploreZip contains a very malicious payload.
Worm.ExploreZip utilizes Microsoft Outlook, Outlook Express,
and Microsoft Exchange to mail itself out by replying to
unread messages in your Inbox. The payload of the worm will
destroy any file with the extension
.h, .c, .cpp, .asm, .doc, .ppt, or .xls
on your hard drive(s), as well as any mapped drives,
each time it is executed. The worm will also search the
mapped drives for Windows installations and copy itself to
the Windows directory, and then modify the WIN.INI file.
This will infect systems without e-mail clients.
This continues to occur until the worm is removed.
You may receive this worm as a file attachment named
"zipped_files.exe". When run, this executable will copy
itself to your Windows System directory with the filename
"Explore.exe", or your Windows directory with the filename
"_setup.exe". The worm modifies your WIN.INI or registry
such that the "Explore.exe" file is executed each time you
start Windows.
Worm.ExploreZip was first discovered in Israel and
submitted to the Symantec AntiVirus Research Center on
June 6, 1999.

Technical Description:
Worm.ExploreZip utilizes MAPI commands and Microsoft
Outlook/Outlook Express/Microsoft Exchange on Windows 9x
and NT systems to propagate itself.
The worm e-mails itself out as an attachment with the
filename "zipped_files.exe" in reply to unread messages
it finds in your Inbox. Thus, the e-mail message may
appear to come from a known e-mail correspondent in
response to a previously sent e-mail. The e-mail contains
the following text:
Hi  <Receipient Name>!
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
bye   or  sincerely <Receipient Name>

Once the attachment is executed, it may display the following
window:
.....
Error
.....    ...etc.

The worm also copies itself to the Windows System (System32 on
Windows NT) directory with the filename "Explore.exe" or
"_setup.exe", and modifies the WIN.INI file (Windows 9x) or
the registry (on Windows NT). This results in the program being
executed each time Windows is started. You may find this file
under your Windows Temporary directory or your attachments
directory, depending on the e-mail client you are using.
E-mail clients will often temporarily store e-mail attachments
in these directories under different temporary names.
The worm will continue to search through your Inbox as long as
it is still running in memory. Thus, any new messages that are
received will be replied to in the above manner.

Payload:
In addition, when Worm.ExploreZip is executed, it searches
drives C through Z of your computer system and selects a series
of files to destroy based on file extensions
(including .h, .c, .cpp, .asm, .doc, .xls, .ppt)
by calling CreateFile(), and making them 0 bytes long.
You may notice extended hard drive activity when this occurs.
This can result in non-recoverable data. This payload routine
continues to happen while the worm is active on the system.
Thus, any newly created files matching the extensions list
will be destroyed as well.
Symantec provides data recovery services which can be found at
http://www.symantec.com/techsupp/recovery.

However, due to the nature of the payload data recovery may
take several days and may not be possible in all cases.

Repair Notes:
To remove this worm, you should perform the following steps:
Remove the line
run=C:\WINDOWS\SYSTEM\Explore.exe
or
run=C:\WINDOWS\SYSTEM\_setup.exe
from the WIN.INI file for Windows 9x systems.
For Windows NT, remove the registry entry
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
which will refer to "Explore.exe" or "_setup.exe"

Delete the file "Explore.exe" or "_setup.exe".
You may need to reboot first or kill the process using Task
Manager or Process View (if the file is currently in use).
Norton AntiVirus users can protect themselves from this worm
by downloading the current virus definitions either through
LiveUpdate or from the following webpage:
http://www.symantec.com/avcenter/download.html
Write-up by: Eric Chien
Written: June 6, 1999
Update: June 10, 1999

_________________________________________________

More information about the Elektro mailing list