A new e-mail worm spreading globally

'ZippedFiles' or 'ExploreZip' spreads like Melissa

Espoo, Finland, June 10, 1999 - A new e-mail worm has been found and is spreading rapidly through the Internet. This virus works like a chain letter and carries a destructive payload. So far, it has been reported from a dozen countries, including USA, Germany, Norway, Israel and the Czech Republic. The virus is expected to spread globally within hours.

This virus is known as either 'ZippedFiles' or 'ExploreZip'. It arrives to a user via an e-mail attachment. When the attachment is opened, the virus will browse through the inbox of the Microsoft Outlook e-mail program and will send a reply to every message.

As a result, if a user called John Doe has recently received an e-mail from Jane Smith with the subject 'Please check these numbers', John's machine will automatically send a message which will look like this: 

  From: John Doe
  To: Jane Smith
  Subject: RE: Please check these numbers

  Hi Jane

  I have received your email and I shall send you a reply ASAP.
  Till then take a look at the attached zipped docs.
  Sincerely 
       John.
  
  Attachment: zipped_files.exe

The attachment looks like a WinZip archive file. When the received tries to unpack it by double-clicking it, he will get a WinZip error message complaining about a broken archive: 

  Cannot open file: it does not appear to be a valid archive. 
  If this file is part of a ZIP format backup set, insert the last disk of
the backup set and try again. 
  Please press F1 for help.

ZippedFiles/ExploreZip
WinZip error message

In addition to spreading like a chain letter, the virus will try to overwrite the user's files on any accessible drives, including all network drives. The files that are overwritten must have one of these extensions: 

  DOC - Microsoft Word documents
  XLS - Microsoft Excel spreadsheets
  PPT - Microsoft PowerPoint presentations
  ASM - Assembler source files
  CPP - C++ source files

If the recipient is using an e-mail system other than Microsoft Outlook, ZippedFiles will not spread further. However, it will damage the recipient's files. ZippedFiles operates under the Windows 95, 98 and NT operating systems.

"This seems to be spreading fast," Mikko Hypponen, Manager of Anti-Virus Research at Data Fellows Corporation, comments, "but not as fast Melissa. The key issue here is that messages sent by ZippedFiles are very credible - they are normal-looking replies to messages you have sent earlier. You're quite likely to trust these messages and open the attachment."

Data Fellows has analysed ZippedFiles and has provided an update to detect and disinfect it. More technical information on the virus and the update are both available from http://www.F-Secure.com or http://www.F-Secure.com/v-descs/zipped.shtml