Date: 11 June 1999
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
==========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-1999.075 -- CERT Advisory CA-99-06
ExploreZip Trojan Horse Program
11 June 1999
===========================================================================
The CERT Coordination Centre has released the following advisory concerning
a Windows 9x/NT Trojan horse program that is propagated in email
attachments with the file name "zipped_files.exe". Opening the attachment
may cause the program to search for and destroy certain file types such
as Microsoft Office documents and propagate by replying to email with a
copy of itself attached.
In addition, any mail handling system could experience performance problems
or a denial of service as a result of the propagation of this Trojan horse
program.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-99-06 ExploreZip Trojan Horse Program
Original issue date: Thursday June 10, 1999
Source: CERT/CC
Systems Affected
* Machines running Windows 95, Windows 98, or Windows NT.
* Any mail handling system could experience performance problems or
a denial of service as a result of the propagation of this Trojan
horse program.
Overview
The CERT Coordination Center continues to receive reports and
inquiries regarding various forms of malicious executable files that
are propagated as file attachments in electronic mail.
Most recently, the CERT/CC has received reports of sites affected by
ExploreZip, a Windows Trojan horse program.
I. Description
The CERT/CC has received reports of a Trojan horse program that is
propagating in email attachments. This program is called ExploreZip.
The number and variety of reports we have received indicate that this
has the potential to be a widespread attack affecting a variety of
sites.
Our analysis indicates that this Trojan horse program requires the
victim to run the attached zipped_files.exe program in order install a
copy of itself and enable propagation.
Based on reports we have received, systems running Windows 95, Windows
98, and Windows NT are the target platforms for this Trojan horse
program. It is possible that under some mailer configurations, a user
might automatically open a malicious file received in the form of an
email attachment. This program is not known to exploit any new
vulnerabilities. While the primary transport mechanism of this program
is via email, any way of transferring files can also propagate the
program.
The ExploreZip Trojan horse has been propagated in the form of email
messages containing the file zipped_files.exe as an attachment. The
body of the email message usually appears to come from a known email
correspondent, and may contain the following text:
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
The subject line of the message may not be predictable and may appear
to be sent in reply to previous email.
Opening the zipped_files.exe file causes the program to execute. At
this time, there is conflicting information about the exact actions
taken by zipped_files.exe when executed. One possible reason for
conflicting information may be that there are multiple variations of
the program being propagated, although we have not confirmed this one
way or the other. Currently, we have the following general information
on actions taken by the program.
* The program searches local and networked drives (drive letters C
through Z) for specific file types and attempts to erase the
contents of the files, leaving a zero byte file. The targets may
include Microsoft Office files, such as .doc, .xls, and .ppt, and
various source code files, such as .c, .cpp, .h, and .asm.
* The program propagates by replying to any new email that is
received by an infected computer. A copy of zipped_files.exe is
attached to the reply message.
* The program creates an entry in the Windows 95/98 WIN.INI file:
run=C:WINDOWSSYSTEMExplore.exe
On Windows NT systems, an entry is made in the system registry:
[HKEY_CURRENT_USERSoftwareMicrosoftWindows
NTCurrentVersionWindows]
run = "c:winntsystem32explore.exe"
* The program creates a file called explore.exe in the following
locations:
Windows 95/98 - c:windowssystemexplore.exe
Windows NT - c:winntsystem32explore.exe
This file is a copy of the zipped_files.exe Trojan horse, and the
file size is 210432 bytes.
MD5 (Explore.exe) = 0e10993050e5ed199e90f7372259e44b
We will update this advisory with more specific information as we are
able to confirm details. Please check the CERT/CC web site for the
current version containing a complete revision history.
II. Impact
* Users who execute the zipped_files.exe Trojan horse will infect
the host system, potentially causing targeted files to be
destroyed.
* Indirectly, this Trojan horse could cause a denial of service on
mail servers. Several large sites have reported performance
problems with their mail servers as a result of the propagation of
this Trojan horse.
III. Solution
Use virus scanners
In order to detect and clean current viruses you must keep your
scanning tools up to date with the latest definition files.
Please see the following anti-virus vendor resources for more
information about the characteristics and removal techniques for the
malicious file known as ExploreZip.
Central Command
http://www.avp.com/upgrade/upgrade.html
Command Software Systems, Inc
http://www.commandcom.com/html/virus/explorezip.html
Computer Associates
http://support.cai.com/Download/virussig.html
Data Fellows
http://www.datafellows.com/news/pr/eng/19990610.htm
McAfee, Inc. (a Network Associates company)
http://www.mcafee.com/viruses/explorezip/protecting_yourself.as
p
Network Associates Incorporated
http://www.avertlabs.com/public/datafiles/valerts/vinfo/va10185
.asp
Sophos, Incorporated
http://www.sophos.com/downloads/ide/index.html#explorez
Symantec
http://www.sarc.com/avcenter/download.html
Trend Micro Incorporated
http://www.antivirus.com/download/pattern.htm
General protection from email Trojan horses and viruses
Some previous examples of malicious files known to have propagated
through electronic mail include
* False upgrade to Internet Explorer - discussed in CA-99-02
http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html
* Melissa macro virus - discussed in CA-99-04
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html
* Happy99.exe Trojan Horse - discussed in IN-99-02
http://www.cert.org/incident_notes/IN-99-02.html
* CIH/Chernobyl virus - discussed in IN-99-03
http://www.cert.org/incident_notes/IN-99-03.html
In each of the above cases, the effects of the malicious file are
activated only when the file in question is executed. Social
engineering is typically employed to trick a recipient into executing
the malicious file. Some of the social engineering techniques we have
seen used include
* Making false claims that a file attachment contains a software
patch or update
* Implying or using entertaining content to entice a user into
executing a malicious file
* Using email delivery techniques which cause the message to appear
to have come from a familiar or trusted source
* Packaging malicious files in deceptively familiar ways (e.g., use
of familiar but deceptive program icons or file names)
The best advice with regard to malicious files is to avoid executing
them in the first place. CERT advisory CA-99-02 discusses Trojan
horses and offers suggestions to avoid them (please see Section V).
http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html
Additional information
Additional sources of virus information are listed at
http://www.cert.org/other_sources/viruses.html
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-99-06-explorezip.html.
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from http://www.cert.org/CERT_PGP.key.
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site http://www.cert.org/.
To be added to our mailing list for advisories and bulletins, send
email to cert-advisory-request@cert.org and include SUBSCRIBE
your-email-address in the subject of your message.
Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be
found in http://www.cert.org/legal_stuff.html.
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
Revision History
June 10, 1999: Initial release
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBN2B33nVP+x0t4w7BAQEsGQQAjO8XmCFoS5bE4l3+fDdrd7vUGHn3l1WZ
HyUPO25ddtd50rsyHCTaSuxr9HUuzswm4DI+T80y6nt5i+NTiSIKWjL0Qo8C+9Xn
BsHQqjmRdDrWD/r6+ZHnoekrgNWWM+1Uy8XITOyzfntGA2mGz/DGkyHq4afElZw6
3SLhZ6GPtjA=
=Ja0e
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It will
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBN2YvrCh9+71yA2DNAQFH8gP7B1E7ND+FkcAAlHCvxKUh8nUUe+y5JJnX
TVEoU4byMUhQQcMJMC4l30300sfrG6+WdGAWfrr9Jmkbsc0CPvWrti8lSUOpK06b
OBbHjfNVjsWUk/Omsa5uXQm6bU4q8bq0DIiKN4r+OkoJAm1jlQFMGelstpSxNo+e
lIgB0BcgZws=
=hcL1
-----END PGP SIGNATURE-----
|