COMPUTERGRAM INTERNATIONAL: JUNE 11 1999 SECTION: INTERNET Virus Shuts Down Microsoft, Intel, Lucent, EMC, NBC, GE Mail By Rachel Chalmers A virus that works like Melissa but seems far more virulent has destroyed files and shut down mail servers at half a dozen or more companies, including Microsoft, Intel, Lucent, EMC, NBC, GE and anti-virus software vendor Symantec, embarrassingly enough. Variously known as "ZippedFiles", "ExploreZip" and "Worm.ExploreZip", the virus is actually a software worm. It arrives as an email containing the message: "Hi [Recipient Name]! I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. Bye (or Sincerely), Sender Name." As a prevention measure, anyone who gets a message like this should delete it immediately, then empty the deleted items file. If run on a Windows 9x system, the attached file, called zipped_files.exe, will copy itself to the Windows System directory with the filename Explore.exe. The worm then modifies the WIN.INI registry such that Explore.exe executes every time the user starts Windows. It destroys any file with the extension .h, .c, .cpp, .asm, .doc, .ppt or .xls on the system hard drive or any mapped drives. These file extensions indicate C++ and assembler source files, Word documents, PowerPoint presentations and Excel spreadsheets. The worm also searches through the C through Z drives of a computer system and selects a series of files of any extension to make 0 bytes long, effectively destroying those as well. ZippedFiles will infect systems without email clients, though if a copy of Microsoft Outlook is not available, it won't spread any further. Like Melissa, however, the original email can propagate itself by sending itself to the addresses in a Microsoft Outlook address book. San Jose, California-based Data Fellows Corp says the virus has been reported from a dozen countries, including Germany, Norway, Israel and the Czech Republic. "The key issue here is that messages sent by ZippedFiles are very credible," said Mikko Hypponen, manager of anti-virus research at Data Fellows. "They are normal-looking replies to messages you have sent earlier. You're quite likely to trust these messages and open the attachment." Data Fellows says it has analyzed the virus and prepared an update to detect and disinfect it. Alternatively, Network Associates Inc suggests restarting an infected computer in MS-DOS mode, editing the WIN.INI file to remove the line run=C:\windows\system\explore.exe and deleting the file c:\windows\system\explore.exe. It should then be safe to restart the computer in Windows.
