Diambil dari http://members.tripod.com/skool/zip.html Semoga bermanfaat. salam, Eriyawan ================== Achtung [forewarned is forearmed] The following information is about the new "ExploreZip Trojan Horse Program" which is much dangerous than the "Mellisa" virus and whose implications are not yet well know. This is a very * d a n g e r o u s * "virus/malicious/trojan" program. Mostly spread through mail and ICQ. Read the following information carefully and prevent your machine from getting affected. Important: If you do care about your friends, then forward this page to everyone you know. |Systems Affected | Description | Impact | Solution | | General protection from email Trojan horses and viruses | I. Systems Affected: Machines running Windows 95, Windows 98, or Windows NT. Any mail handling system could experience performance problems or a denial of service as a result of the propagation of this Trojan horse program. II. Description This trojan horse program is mostly propagated through email attachments. This program is called ExploreZip. The number and variety of reports indicate that this has the potential to be a widespread attack affecting a variety of sites and machines. This Trojan horse program requires the victim to run the attached zipped_files.exe program in order install a copy of itself and enable propagation. Based on reports received, systems running Windows 95, Windows 98, and Windows NT are the target platforms for this Trojan horse program. It is possible that under some mailer configurations, a user might automatically open a malicious file received in the form of an email attachment. This program is not known to exploit any new vulnerabilities. While the primary transport mechanism of this program is via email, any way of transferring files can also propagate the program. The ExploreZip Trojan horse has been propagated in the form of email messages containing the file zipped_files.exe as an attachment. The body of the email message usually appears to come from a known email correspondent, and may contain the following text: I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. The subject line of the message may not be predictable and may appear to be sent in reply to previous email. Opening the zipped_files.exe file causes the program to execute. At this time, there is conflicting information about the exact actions taken by zipped_files.exe when executed. One possible reason for conflicting information may be that there are multiple variations of the program being propagated.. Currently, the following are general information on actions taken by the program. The program searches local and networked drives (drive letters C through Z) for specific file types and attempts to _erase_ the contents of the files, leaving a zero byte file. The targets may include Microsoft Office files, such as .doc, .xls, and .ppt, and various source code files, such as .c, .cpp, .h, and .asm. The program propagates by replying to any new email that is received by an infected computer. A copy of zipped_files.exe is attached to the reply message. The program creates an entry in the Windows 95/98 WIN.INI file: run=C:\WINDOWS\SYSTEM\Explore.exe On Windows NT systems, an entry is made in the system registry: [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows] run = "c:\winnt\system32\explore.exe" The program creates a file called explore.exe in the following locations: Windows 95/98 - c:\windows\system\explore.exe Windows NT - c:\winnt\system32\explore.exe This file is a copy of the zipped_files.exe Trojan horse, and the file size is 210432 bytes. MD5 (Explore.exe) = 0e10993050e5ed199e90f7372259e44b III. Impact Users who execute the zipped_files.exe Trojan horse will infect the host system, potentially causing targeted files to be destroyed. Indirectly, this Trojan horse could cause a denial of service on mail servers. Several large sites have reported performance problems with their mail servers as a result of the propagation of this Trojan horse. IV. Solution Use virus scanners In order to detect and clean current viruses you must keep your scanning tools up to date with the latest definition files. Please see the following anti-virus vendor resources for more information about the characteristics and removal techniques for the malicious file known as ExploreZip. Central Command http://www.avp.com/upgrade/upgrade.html Command Software Systems, Inc http://www.commandcom.com/html/virus/explorezip.html Computer Associates http://support.cai.com/Download/virussig.html Data Fellows http://www.datafellows.com/news/pr/eng/19990610.htm McAfee, Inc. (a Network Associates company) http://www.mcafee.com/viruses/explorezip/protecting_yourself.asp Network Associates Incorporated http://www.avertlabs.com/public/datafiles/valerts/vinfo/va10185 .asp Sophos, Incorporated http://www.sophos.com/downloads/ide/index.html#explorez Symantec http://www.sarc.com/avcenter/download.html Trend Micro Incorporated http://www.antivirus.com/download/pattern.htm V. General protection from email Trojan horses and viruses Some previous examples of malicious files known to have propagated through electronic mail include False upgrade to Internet Explorer Melissa macro virus Happy99.exe Trojan Horse CIH/Chernobyl virus In each of the above cases, the effects of the malicious file are activated only when the file in question is executed. Social engineering is typically employed to trick a recipient into executing the malicious file. Some of the social engineering techniques used include Making false claims that a file attachment contains a software patch or update Implying or using entertaining content to entice a user into executing a malicious file Using email delivery techniques which cause the message to appear to have come from a familiar or trusted source Packaging malicious files in deceptively familiar ways (e.g., use of familiar but deceptive program icons or file names) |Systems Affected | Description | Impact | Solution | | General protection from email Trojan horses and viruses | The best advice with regard to malicious files is to avoid executing them in the first place. June 08, 1999: Initial release. ___________________________________________________________________ Mulai langganan: "subscribe envorum" ke [EMAIL PROTECTED] Stop langganan: "unsubscribe envorum" ke [EMAIL PROTECTED] Arsip di http://www.mail-archive.com/[email protected] atau di http://www.egroups.com/list/envorum
