Berikut ini saya kirimkan informasi yang saya dapatkan dari
milis lain.... Virus ExploreZip ini akan menghapus file-file
Microsoft Office, seperti .doc, .xls, dan .ppt, dan file-file
source code, seperti .c, .cpp, .h, and .asm. Dan selama belum
dihilangkan dari pc yang tertular, maka virus ini akan terus
menyebarkan dirinya melalui email secara otomatis tanpa
sepengetahuan pemilik pc tersebut. Jadi betul sekali apa yang
dikatakan pak Denny Firmansyah... jangan salah sangka bahwa
orang tersebut dengan *SENGAJA* mengirim virus ke kita...
karena dia sendiripun tidak tahu kalau namanya 'disalahgunakan'
oleh virus....
Dari pemantauan (kayak pemilu aja.... ) saya sudah ada 5 anggota
milis balita-anda yang terkena virus ini :
1. Herman ?
2. Endang Wartiningsih <[EMAIL PROTECTED]>
3. Rina Budiastuti
4. [EMAIL PROTECTED]
5. Alvi Maghfiratul Laila <[EMAIL PROTECTED]>
Ini dulu aja informasinya... kalau ada info lagi mengenai virus
ini, terutama cara penanggulangannya... akan saya kirimkan lagi.
-yuana-
-----------------------------------------------------------------
CERT� Advisory CA-99-06 ExploreZip
Trojan Horse Program
Original issue date: Thursday June 10, 1999
Source: CERT/CC
Systems Affected
Machines running Windows 95, Windows 98, or Windows NT.
Any mail handling system could experience performance problems
or a denial of service as a result
of the propagation of this Trojan horse program.
Overview
The CERT Coordination Center continues to receive reports
and inquiries regarding various forms of malicious executable
files that are propagated as file attachments in electronic mail.
Most recently, the CERT/CC has received reports of
sites affected by ExploreZip, a Windows Trojan horse program.
I. Description
The CERT/CC has received reports of a Trojan horse program
that is propagating in email attachments. This program is
called ExploreZip. The number and variety of reports we
have received indicate that this has the potential to be a
widespread attack affecting a variety of sites.
Our analysis indicates that this Trojan horse program
requires the victim to run the attached zipped_files.exe
program in order install a copy of itself and enable
propagation.
Based on reports we have received, systems
running Windows 95, Windows 98, and Windows NT
are the target platforms
for this Trojan horse program. It is possible
that under some mailer configurations, a user
might automatically open a
malicious file received in the form of an email attachment.
This program is not known to exploit any new vulnerabilities.
While the primary transport mechanism of this program is
via email, any way of transferring files can also propagate
the program.
The ExploreZip Trojan horse has been propagated in
the form of email messages containing the file
zipped_files.exe as an attachment. The body of the
email message usually appears to come from a known
email correspondent, and may contain
the following text:
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
The subject line of the message may not be predictable
and may appear to be sent in reply to previous email.
Opening the zipped_files.exe file causes the program
to execute. At this time, there is conflicting information
about the exact
actions taken by zipped_files.exe when executed.
One possible reason for conflicting information may
be that there are
multiple variations of the program being propagated,
although we have not confirmed this one way or the other.
Currently,
we have the following general information on actions
taken by the program.
The program searches local and networked drives
(drive letters C through Z) for specific file
types and attempts to erase the contents of the files,
leaving a zero byte file. The targets may include
Microsoft Office files, such as .doc,
.xls, and .ppt, and various source code files,
such as .c, .cpp, .h, and .asm.
The program propagates by replying to any new email
that is received by an infected computer. A copy of
zipped_files.exe is attached to the reply message.
The program creates an entry in the Windows 95/98 WIN.INI file:
run=C:\WINDOWS\SYSTEM\Explore.exe
On Windows NT systems, an entry is made in the system registry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
run = "c:\winnt\system32\explore.exe"
The program creates a file called explore.exe
in the following locations:
Windows 95/98 - c:\windows\system\explore.exe
Windows NT - c:\winnt\system32\explore.exe
This file is a copy of the zipped_files.exe
Trojan horse, and the file size is 210432 bytes.
MD5 (Explore.exe) = 0e10993050e5ed199e90f7372259e44b
We will update this advisory with more specific
information as we are able to confirm details.
Please check the CERT/CC
web site for the current version containing
a complete revision history.
II. Impact
Users who execute the zipped_files.exe
Trojan horse will infect the host system,
potentially causing targeted files to
be destroyed.
Indirectly, this Trojan horse could cause a
denial of service on mail servers.
Several large sites have reported
performance problems with their mail servers
as a result of the propagation of this Trojan horse.
III. Solution
Use virus scanners
In order to detect and clean current viruses
you must keep your scanning tools up to date
with the latest definition files.
Please see the following anti-virus vendor
resources for more information about the
characteristics and removal techniques
for the malicious file known as ExploreZip.
Central Command
http://www.avp.com/upgrade/upgrade.html
Command Software Systems, Inc
http://www.commandcom.com/html/virus/explorezip.html
Computer Associates
http://support.cai.com/Download/virussig.html
Data Fellows
http://www.datafellows.com/news/pr/eng/19990610.htm
McAfee, Inc. (a Network Associates company)
http://www.mcafee.com/viruses/explorezip/protecting_yourself.asp
Network Associates Incorporated
http://www.avertlabs.com/public/datafiles/valerts/vinfo/va10185.asp
Sophos, Incorporated
http://www.sophos.com/downloads/ide/index.html#explorez
Symantec
http://www.sarc.com/avcenter/download.html
Trend Micro Incorporated
http://www.antivirus.com/download/pattern.htm
General protection from email Trojan horses and viruses
Some previous examples of malicious files known to have propagated
through electronic mail include
False upgrade to Internet Explorer - discussed in CA-99-02
http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html
Melissa macro virus - discussed in CA-99-04
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html
Happy99.exe Trojan Horse - discussed in IN-99-02
http://www.cert.org/incident_notes/IN-99-02.html
CIH/Chernobyl virus - discussed in IN-99-03
http://www.cert.org/incident_notes/IN-99-03.html
In each of the above cases, the effects of the malicious
file are activated only when the file in question is executed.
Social engineering is typically employed to trick
a recipient into executing the malicious file.
Some of the social engineering
techniques we have seen used include
Making false claims that a file attachment
contains a software patch or update
Implying or using entertaining content to
entice a user into executing a malicious file
Using email delivery techniques which cause
the message to appear to have come from a
familiar or trusted source
Packaging malicious files in deceptively
familiar ways (e.g., use of familiar but
deceptive program icons or file names)
The best advice with regard to malicious
files is to avoid executing them in the first place.
CERT advisory CA-99-02 discusses Trojan horses
and offers suggestions to avoid them (please see Section V).
http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html
Additional information
Additional sources of virus information are listed at
http://www.cert.org/other_sources/viruses.html
This document is available from:
http://www.cert.org/advisories/CA-99-06-explorezip.html.
CERT/CC Contact Information
Email: [EMAIL PROTECTED]
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00
EST(GMT-5) / EDT(GMT-4) Monday through Friday;
they are on call for
emergencies during other hours, on U.S. holidays,
and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information
sent by email. Our public PGP key is available from
http://www.cert.org/CERT_PGP.key. If you prefer
to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information
are available from our web site http://www.cert.org/.
To be added to our mailing list for advisories
and bulletins, send email to
[EMAIL PROTECTED] and include
SUBSCRIBE your-email-address
in the subject of your message.
Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be
found in http://www.cert.org/legal_stuff.html.
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office
NO WARRANTY
Any material furnished by Carnegie Mellon University
and the Software Engineering Institute is furnished on an
"as is" basis. Carnegie Mellon University makes no
warranties of any kind, either expressed or implied as to any
matter including, but not limited to, warranty of fitness
for a particular purpose or merchantability, exclusivity or
results obtained from use of the material.
Carnegie Mellon University does not make any warranty
of any kind with
respect to freedom from patent, trademark,
or copyright infringement.
Revision History
*********** REPLY SEPARATOR ***********
On 6/21/99 at 2:56 PM Denny Firmansyah wrote:
>Jangan salah sangka sama orang dulu Bu, saya rasa yang 'ngirim' sama Ibu pun
>tidak tahu...
>Setahu saya Virus Worm tsb memang mempunyai kemampuan untuk menyebar secara
>otomatis melalui e-mail ke address kolega lainnya yang tercantum pada
>komputer yang terjangkiti.
>Pemecahannya sementara ini :
>Apabila mendapat e-mail (dari siapapun) yang mempunyai attachment file
>zip_file.exe, JANGAN DIBUKA/DIEXECUTE FILE TSB, LANGSUNG HAPUS SAJA
>MAIL-NYA.
>Virus ini dapat didetect dan didelete dengan Mc Afee version 4.02 update
>data 4030 (sayang saya tidak punya installer-nya), mungkin ada rekan lain
>yang tahu/punya ?
>Terima kasih,
>
>Denny F.
>_____________
>Padmorini, Niken write:
>
Kunjungi:
http://www.balita-anda.indoglobal.com
--------------------------------------------------------------------------
"Untuk mereka yang mendambakan anak balitanya tumbuh sehat & cerdas"
Berlangganan, e-mail ke: [EMAIL PROTECTED]
Berhenti berlangganan, e-mail ke: [EMAIL PROTECTED]
http://pencarian-informasi.or.id/ - Solusi Pencarian Informasi di Internet
