PureBytes Links
Trading Reference Links
|
Subject: VIRUS NOTIFICATION - MINIZIP
WE RECEIVED AN IMMEDIATE MESSAGE FROM THE AF INFORMATION WARFARE CENTER
(AFIWC) WITH INFORMATION ABOUT THE EMERGENCE OF THE MINIZIP OR
W32/EXPLOREZIP.WORM.PAC VIRUS, A VARIANT OF THE EXPLORER VIRUS. CURRENTLY
NO SIGNS OF THE VIRUS HAVE BEEN SEEN ON AIR FORCE SITES.
THIS VARIATION IS UNIQUE IN THAT THE VIRUS EXECUTABLE IS IN A COMPRESSED
FORM. ANTI VIRUS SOFTWARE IS UNABLE TO DETECT THIS VARIATION.
AS OF 1300Z THE AFCERT HAS RECEIVED NO REPORTS OF THIS NEW VARIANT ON AF
SYSTEMS. THE AFIWC HAS BEEN ABLE TO DETECT BOTH VERSIONS SENT OVER THE
INTERNET VIA EMAIL.
THE FOLLOWING HAS BEEN COMPILED BASED ON THE INFORMATION CURRENTLY AVAILABLE
ON THE VIRUS.
VIRUS CHARACTERISTICS: THIS IS A 32BIT WORM VIRUS THAT TRAVELS BY SENDING
EMAIL MESSAGES TO USERS. IT DROPS THE FILE EXPLORE.EXE AND MODIFIES EITHER
THE WIN.INI (WIN9X) OR MODIFIES THE REGISTRY (WINNT).
INFORMATION:
MINIZIP IS A MINOR VARIANT OF THE ORIGINAL W32/EXPLOREZIP.WORM IN THAT THIS
EDITION IS A COMPRESSED COPY OF THE EXECUTABLE. A COMPRESSION TOOL NAMED
NEOLITE WAS USED TO COMPRESS THE BINARY EXECUTABLE THAT IS THE WORM,
PREVENTING DETECTION BY EXISTING DETECTORS OF THE ORIGINAL VERSION. THIS
VARIANT RUNS COMPRESSED AND IS NOT EXPANDED BEYOND ITS COMPRESSED FORM
EXCEPT IN MEMORY. THE FOLLOWING EMAIL DESCRIPTION AND REMOVAL METHOD IS
ALMOST IDENTICAL TO THE
DESCRIPTION FOR THE FIRST VARIANT WITH REGARD TO FILE SIZE.
THIS VIRUS INPUTS THE MESSAGE TEXT:
"I RECEIVED YOUR EMAIL AND I SHALL SEND YOU A REPLY ASAP. TILL THEN, TAKE A
LOOK AT THE ATTACHED ZIPPED DOCS."
THE WORM IS ATTACHED WITH THE FILENAME "ZIPPED_FILES.EXE" THE FILE HAS A
WINZIP ICON. ONCE EXECUTED IT WILL REPORT THE FOLLOWING "ERROR" MESSAGE"
"CANNOT OPEN FILE: IT DOES NOT APPEAR TO BE A VALID ARCHIVE. IF THIS FILE IS
PART OF A ZIP FORMAT BACKUP SET, INSERT THE LAST DISK OF THE BACKUP SET AND
TRY AGAIN. PLEASE PRESS F1 FOR HELP."
IT WILL THEN CREATE 2 FILES EXPLORE.EXE AND _SETUP.EXE. MODIFY THE WIN.INI
AND REGISTRY TO OPEN ONE OF THESE AT EACH BOOTUP, WHICH WILL INFECT THE
SYSTEM.
PAYLOAD NOTICE:
THIS WORM HAS A DANGEROUS PAYLOAD. IMMEDIATELY AFTER EXECUTION IT WILL
SEARCH ALL AVAILABLE LOCAL DRIVER FROM C: TO Z: FOR THE FOLLOWING FILES OF
EXTENSION: .C, .CPP, .H, .ASM, .DOC, .XLS, OR .PPT. WHEN FOUND, THEY ARE
OPENED FOR WRITE AND IMMEDIATELY CLOSED LEAVING THEM WITH A ZERO BYTE
COUNT. THIS PAYLOAD IS RUN AGAIN AT APPROXIMATELY 30 MINUTE INTERVALS.
SOLUTION:
IF YOU RECEIVE AN E-MAIL WITH THE BODY TEXT AND FILENAME ABOVE, DO NOT OPEN
IT.
|