First published: 11th June 1999
'ZippedFiles' or 'ExploreZip' spreads like Melissa
Espoo, Finland, June 10, 1999 - A new e-mail worm has been found and is spreading rapidly through the Internet. This virus works like a chain letter and carries a destructive payload. So far, it has been reported from a dozen countries, including USA, Germany, Norway, Israel and the Czech Republic. The virus is expected to spread globally within hours.
This virus is known as either 'ZippedFiles' or 'ExploreZip'. It arrives to a user via an e-mail attachment. When the attachment is opened, the virus will browse through the inbox of the Microsoft Outlook e-mail program and will send a reply to every message.
As a result, if a user called John Doe has recently received an e-mail from Jane Smith with the subject 'Please check these numbers', John's machine will automatically send a message which will look like this:
From: John Doe To: Jane Smith Subject: RE: Please check these numbers Hi Jane I have received your email and I shall send you a reply ASAP. Till then take a look at the attached zipped docs. Sincerely John. Attachment: zipped_files.exe
The attachment looks like a WinZip archive file. When the received tries to unpack it by double-clicking it, he will get a WinZip error message complaining about a broken archive:
Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help.
In addition to spreading like a chain letter, the virus will try to overwrite the user's files on any accessible drives, including all network drives. The files that are overwritten must have one of these extensions:
- DOC - Microsoft Word documents
- XLS - Microsoft Excel spreadsheets
- PPT - Microsoft PowerPoint presentations
- ASM - Assembler source files
- CPP - C++ source files
If the recipient is using an e-mail system other than Microsoft Outlook, ZippedFiles will not spread further. However, it will damage the recipient's files. ZippedFiles operates under the Windows 95, 98 and NT operating systems.
"This seems to be spreading fast," Mikko Hypponen, Manager of Anti-Virus Research at Data Fellows Corporation, comments, "but not as fast Melissa. The key issue here is that messages sent by ZippedFiles are very credible - they are normal-looking replies to messages you have sent earlier. You're quite likely to trust these messages and open the attachment."
Data Fellows has analysed ZippedFiles and has provided an update to detect and disinfect it.