New Discovery in the ZippedFiles Internet Worm

First published: 17^th June 1999

Destructive worm can hit your machine even if you don't use e-mail

Espoo, Finland - Researchers at the Data Fellows computer virus laboratory have discovered new functionality in the widespread ZippedFiles (also known as ExploreZip) Internet worm. Once the virus infects one machine in a corporate network, the worm will start to look for other Windows workstations in the network.

If another user has shared directories from his machine for others, the virus will try to infect this machine over the network.

This means that your machine can get infected with the ZippedFiles worm even if you're very careful with your e-mail, do not open attachments, or you even stop using e-mail completely. You will not notice the infection, but your machine will start to automatically reply to all e-mails received thereafter. The replies contain an infected attachment and will spread the worm further. In addition, the worm will start to overwrite files on local and network drives.

In order to receive the virus over the company network, your machine must be running Windows 95 or 98 and must have either the system drive or the Windows directory shared for other users with full access rights. The shared drive does not have to be mounted to the infected system in order for the worm to spread, as the worm will browse all available drive shares in the network. By default, Windows does not share drives for use by other users, but many users do this to give fellow workers easy access to their files.

"This seems to be one of the reasons we've seen widespread infections within single companies", comments Mikko Hypponen, Manager of Anti-Virus Research at Data Fellows. "We have to remember that this worm does not spread over e-mail nearly as fast as the Melissa virus did. It only spreads at the rate of normal e-mail traffic - if you receive ten e-mails a day, you will send the worm out ten times". "However, once ZippedFiles enters your corporate network, it will travel around fast if you don't have every workstation running up-to-date protection."

Questions & Answers on the ZippedFiles worm:

• Q: What's the name of the worm?
  A: This worm is known as either ZippedFiles or ExploreZip
• Q: What's the difference between a virus and a worm?
  A: Viruses work by infecting the user's own files and they spread when these are exchanged. Worms don't infect your own files, they just use your computer to send themselves further to other machines.
• Q: Where was ZippedFiles written?
  A: The first infection reports were from Israel, so it might be from that region.
• Q: When was ZippedFiles written?
  A: We don't know for sure. We received the first sample from the field on June 10th, from the Czech Republic. The virus has been reported to be out there as early as 6th of June. Moreover, the virus contains this internal date: "1999/04/14 12:50". It is possible that the virus has been out there for a longer time, possible even weeks.
• Q: Why was this new network-spreading capability not detected until now?
  A: The virus is big, over 200kB. It's simple to add detection and removal of a worm like this, but it takes days to fully disassemble and understand a program of this size.
• Q: Who wrote it?
  A: We do not know.
• Q: Will he/she be caught?
  A: If he/she was careful when releasing the virus, probably not. It is easy to be completely anonymous in the net.
• Q: How widespread is it?
  A: Very widespread, although at this time not as widespread as Melissa or CIH were during spring, 1999. It seems to be especially widespread in North America and the UK.
• Q: Why North America and UK?
  A: The virus replies to every e-mail received by the infected computer. However, the reply is written in English. If a German-speaking user sends an e-mail to another German, he would get suspicious if the reply appears in English.
• Q: Does the virus work only with Outlook?
  A: The virus tries to work with other e-mail programs as well (those which support MAPI). However, due to some programming error it seems to fail unless the user has Microsoft Outlook, Outlook Express or Exchange e-mail client.
• Q: Do other worms spread over a company network like ZippedFiles?
  No, this is quite a unique feature.
• Q: What damage does ZippedFiles do?
  It tries to overwrite several types of files on a local hard drive and on the network drives.
• Q: What files does ZippedFiles overwrite?
  
  • DOC - Microsoft Word documents
  • XLS - Microsoft Excel spreadsheets
  • PPT - Microsoft PowerPoint presentations
  • ASM - Assembler source files
  • CPP - C++ source files
  • C - C source files
  • H - C header files
• Q: Why does the virus overwrite Assembler, C++ and C programming language files?
  A: Perhaps the writer of the virus does not like these languages. The virus itself is written in Delphi, a Pascal-like language.
• Q: Why does the virus overwrite files instead of deleting them?
  A: The virus truncates the files to zero bytes. This makes it difficult to restore the files without backups. If the virus would just delete the files, they would be easy to undelete.
• Q: Are the truncated files recoverable if there are no backups?
  A: Professional data recovery services will help. There are some freeware tools in the net that claim to be of some help, but usually the results are not very good - and they might make professional data recovery impossible.