HATI-HATI...JIKA ANDA MENERIMA E-MAIL DENGAN KATA-KATA SEPERTI INI, <<File: zipped_files.exe>> > Hi (YOUR NAME), ! > I received your email and I shall send you a reply ASAP. > Till then, take a look at the attached zipped docs. > bye. > <<zipped_files.exe>> > BERARTI E-MAIL TSB. MENGANDUNG VIRUS. Untuk lebih jelasnya, lihat narasi di bawah ini. ________________________________________________________________ Subject: WATCH OUT FOR THE WORM Date: 6/11/99 9:34 AM My boss got one of these emails (see news article below) on her personal email account this week!! Fortunately, before she downloaded it, she scanned it with McAfee and it told her that it detected the worm, and there was no cure, and to definitely not download the file. Just be sure to scan any attachments. The one she got was called Happy99.exe, but described by McAfee Virus scan as the worm they're talking about below. This one's a killer and destroyed her friends computer. _________________________________ Malicious `worm' hits companies Data-destroying `Worm.ExploreZip' forces e-mail shutdowns at major corporations By Mike Brunker and Mark Stevenson MSNBC June 10 _ Disguised as e-mail from an acquaintance, a malicious computer "worm" capable of destroying data on infected machines was spreading Thursday, forcing at least a handful of businesses to shut down their e-mail systems. Computer security companies said the worm represented a new level of danger, combining the rapid-spread capability of the recent Melissa virus with a far more dangerous payload. STORY CONTINUES BELOW ADVERTISING ON MSNBC ON MSN IT WAS NOT immediately clear how far the "Worm.ExploreZip" program had spread since it was reported to the Symantec AntiVirus Research Center on Sunday. The worm on Thursday caused havoc with e-mail at Microsoft, NBC and General Electric (MSNBC is a joint venture of Microsoft and NBC). System administrators at GE shut down the company's e-mail system in an attempt to isolate the worm. "The first report (to ) came in late Sunday night from Israel, where it hit five major corporations._," said Eric Chien, a researcher at SARC. "By late Monday and early Tuesday we began to hear reports from the U.S., where eight major corporations have reported the worm (not including GE, Microsoft or NBC)." "Those are just the ones that reported to us," said Chien. "Obviously, there could be many more." Reports indicate that the worm hit hard at companies including Intel Corp., Lucent Technologies and Symantec itself. Trend Micro, a maker of anti-virus software, said five large customers reported Thursday that their systems were infected, but Trend Micro declined to name the companies. Joe Wells, president of the WildList Organization International, which tracks virus activity, said the worm has turned up in the United States, parts of Europe, parts of South America, Israel and South Africa. "We consider it a major incident given that the corporations that were hit generally have very good security procedures in place," Chien said. "It is likely that small businesses and home users also are being affected." Security firm Network Associates Inc. reported Thursday that it had received reports of multiple infections from major companies in three countries, Germany, France and the United States. Network Associates also believes the worm originated in Israel, said Vincent Gullotto, manager of the company's antivirus emergency response team. Gullotto said Network Associates gave the worm its highest danger rating. The worm spreads by automatically sending a reply to e-mail sent to an infected user. The original sender of the mail gets an immediate reply that has an attachment with the file name "zipped_files.exe." The body of the message reads: "Hi (recipient's name)! "I received your e-mail and I shall send you a reply ASAP. "Till then, take a look at the attached zipped docs. "bye." According to an advisory posted by Symantec, users who receive such a message should delete it without opening it, then empty their deleted items file. The Melissa virus automatically scanned the infected user's e-mail address book and began sending e-mails to recipients on that list, so it generated more mail and was thus able to spread faster than Worm.ExploreZip, said Gullotto in a conference call with journalists. But the immediate reply and the fact that the subject line on the infecting mail is the same as the receiver has just sent means recipients are far more likely to open the attachment, he said. Melissa's mischief, however, consisted of infecting e-mail recipients and clogging e-mail servers with high volumes of traffic. Worm.ExploreZip does elevate e-mail traffic levels, too, but it also seeks out and destroys files on the user's hard drives and on network drives, making it more like the CIH, or Chernobyl, virus in its power to destroy. SYSTEM FILE MODIFIED The program sends itself as an executable attachment using MAPI (Messaging Application Programming Interface) commands in MAPI-based e-mail clients such as Windows Outlook, Outlook Express, and Exchange in the Windows 95, 98, and NT environments. If the file is executed on a Windows 9x system, the worm copies itself to the c:directory with the filename "Explore.exe" and then modifies the WIN.INI file so that the program is executed each time Windows is started. On Windows NT systems, the worm modifies the Registry. MSNBC report on the dark side of the Net In addition, when Worm.ExploreZip is executed, it also searches through the C through Z drives of your computer system _ both local drives and drives "mapped" on a network, which often includes servers used by computer users throughout an organization _ and selects a series of files to destroy by making them 0 bytes long. This can result in non-recoverable data, the Symantec advisory warns. The worm looks for and destroys files with the following extensions, according to Network Associates: .c, .cpp, .h, .asm, .doc, .xls and .ppt . Those extensions cover Word word-processing documents, PowerPoint presentations and Excel spreadsheets, plus programmers' source code files. HOW TO GET RID OF IT If your computer is infected, security software company Network Associates recommends these steps to remove it: If you're running Windows 95 or 98: � Restart your computer in MS-DOS mode, edit the WIN.INI file and remove the line run=c: � Then delete the file "c:and restart Windows. If you're running Windows NT: � Run REGEDIT (not REGEDT32) and locate the hive [HKEY_CURRENT_USERNTand remove the following key: "run"="C: � Restart Windows NT, then remove the file "c: If you're unsure whether you've been infected, Network Associates recommends that you look in your My Documents folder to see whether you're missing any familiar files, or look in the Sent Messages folder in your e-mail client to see if you are sending replies with attachments that you do not remember sending. Network Associates' Gullotto warned that if this worm follows the pattern of recent malicious attachments, network administrators and users should be alert to e-mails that are suspicious but do not match exactly the characteristics of Worm.ExploreZip. Variants and copycats of malicious software often appear soon after the original. And the original is already doing plenty of damage. "We have the virus," said Rachel Albert, a spokeswoman at InterActive Public Relations of San Francisco. "It's terrible. A lot of people lost everything they were working on." The Associated Press contributed to this report. Zullia Saida United States Agency for International Development (USAID) American Embassy Jl. Merdeka Selatan 3-5 Jakarta 10110 Phone : (62-21) 344 2211 ext. 2356 Fax : (62-21) 3483 0916 e-mail: [EMAIL PROTECTED] ------------- Original Text From: "Padmorini, Niken AIS" <[EMAIL PROTECTED]>, on 6/21/99 9:00 AM: > KOQ TEGA SICH,.... > > ---------- > From: Hendra Suryakusumah[SMTP:[EMAIL PROTECTED]] > Sent: Monday, June 21, 1999 6:59 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [balita-anda] FW: [balita-anda] Saran saja > > <<File: zipped_files.exe>> > Hi Padmorini, ! > I received your email and I shall send you a reply ASAP. > Till then, take a look at the attached zipped docs. > bye. > <<zipped_files.exe>> > > Kunjungi: http://www.balita-anda.indoglobal.com -------------------------------------------------------------------------- "Untuk mereka yang mendambakan anak balitanya tumbuh sehat & cerdas" Berlangganan, e-mail ke: [EMAIL PROTECTED] Berhenti berlangganan, e-mail ke: [EMAIL PROTECTED] http://pencarian-informasi.or.id/ - Solusi Pencarian Informasi di Internet Kunjungi: http://www.balita-anda.indoglobal.com -------------------------------------------------------------------------- "Untuk mereka yang mendambakan anak balitanya tumbuh sehat & cerdas" Berlangganan, e-mail ke: [EMAIL PROTECTED] Berhenti berlangganan, e-mail ke: [EMAIL PROTECTED] http://pencarian-informasi.or.id/ - Solusi Pencarian Informasi di Internet
