Date: Fri, 11 Jun 1999 10:08:30 -0700
Reply-To: Debi Webi <mtngal@SIERRATEL.COM>
Sender: Vanagon Mailing List <vanagon@gerry.vanagon.com>
From: Debi Webi <mtngal@SIERRATEL.COM>
Subject: CERT Advisory CA-99.06 - ExploreZip Trojan Horse Program
Content-Type: text/plain; charset="iso-8859-1"
CERT Advisory CA-99.06 - ExploreZip Trojan Horse Program
> >-----BEGIN PGP SIGNED MESSAGE-----
> >
> >CERT Advisory CA-99-06 ExploreZip Trojan Horse Program
> >
> > Original issue date: Thursday June 10, 1999
> > Source: CERT/CC
> >
> >Systems Affected
> >
> > * Machines running Windows 95, Windows 98, or Windows NT.
> > * Any mail handling system could experience performance problems or
> > a denial of service as a result of the propagation of this Trojan
> > horse program.
> >
> >Overview
> >
> > The CERT Coordination Center continues to receive reports and
> > inquiries regarding various forms of malicious executable files that
> > are propagated as file attachments in electronic mail.
> >
> > Most recently, the CERT/CC has received reports of sites affected by
> > ExploreZip, a Windows Trojan horse program.
> >
> >I. Description
> >
> > The CERT/CC has received reports of a Trojan horse program that is
> > propagating in email attachments. This program is called ExploreZip.
> > The number and variety of reports we have received indicate that this
> > has the potential to be a widespread attack affecting a variety of
> > sites.
> >
> > Our analysis indicates that this Trojan horse program requires the
> > victim to run the attached zipped_files.exe program in order install
a
> > copy of itself and enable propagation.
> >
> > Based on reports we have received, systems running Windows 95,
Windows
> > 98, and Windows NT are the target platforms for this Trojan horse
> > program. It is possible that under some mailer configurations, a user
> > might automatically open a malicious file received in the form of an
> > email attachment. This program is not known to exploit any new
> > vulnerabilities. While the primary transport mechanism of this
program
> > is via email, any way of transferring files can also propagate the
> > program.
> >
> > The ExploreZip Trojan horse has been propagated in the form of email
> > messages containing the file zipped_files.exe as an attachment. The
> > body of the email message usually appears to come from a known email
> > correspondent, and may contain the following text:
> >
> > I received your email and I shall send you a reply ASAP.
> > Till then, take a look at the attached zipped docs.
> >
> > The subject line of the message may not be predictable and may appear
> > to be sent in reply to previous email.
> >
> > Opening the zipped_files.exe file causes the program to execute. At
> > this time, there is conflicting information about the exact actions
> > taken by zipped_files.exe when executed. One possible reason for
> > conflicting information may be that there are multiple variations of
> > the program being propagated, although we have not confirmed this one
> > way or the other. Currently, we have the following general
information
> > on actions taken by the program.
> >
> > * The program searches local and networked drives (drive letters C
> > through Z) for specific file types and attempts to erase the
> > contents of the files, leaving a zero byte file. The targets may
> > include Microsoft Office files, such as .doc, .xls, and .ppt, and
> > various source code files, such as .c, .cpp, .h, and .asm.
> > * The program propagates by replying to any new email that is
> > received by an infected computer. A copy of zipped_files.exe is
> > attached to the reply message.
> > * The program creates an entry in the Windows 95/98 WIN.INI file:
> > run=C:\WINDOWS\SYSTEM\Explore.exe
> > On Windows NT systems, an entry is made in the system registry:
> > [HKEY_CURRENT_USER\Software\Microsoft\Windows
> > NT\CurrentVersion\Windows]
> > run = "c:\winnt\system32\explore.exe"
> > * The program creates a file called explore.exe in the following
> > locations:
> > Windows 95/98 - c:\windows\system\explore.exe
> > Windows NT - c:\winnt\system32\explore.exe
> > This file is a copy of the zipped_files.exe Trojan horse, and the
> > file size is 210432 bytes.
> > MD5 (Explore.exe) = 0e10993050e5ed199e90f7372259e44b
> >
> > We will update this advisory with more specific information as we are
> > able to confirm details. Please check the CERT/CC web site for the
> > current version containing a complete revision history.
> >
> >II. Impact
> >
> > * Users who execute the zipped_files.exe Trojan horse will infect
> > the host system, potentially causing targeted files to be
> > destroyed.
> > * Indirectly, this Trojan horse could cause a denial of service on
> > mail servers. Several large sites have reported performance
> > problems with their mail servers as a result of the propagation
of
> > this Trojan horse.
> >
> >III. Solution
> >
> >Use virus scanners
> >
> > In order to detect and clean current viruses you must keep your
> > scanning tools up to date with the latest definition files.
> >
> > Please see the following anti-virus vendor resources for more
> > information about the characteristics and removal techniques for the
> > malicious file known as ExploreZip.
> >
> > Central Command
> > http://www.avp.com/upgrade/upgrade.html
> >
> > Command Software Systems, Inc
> > http://www.commandcom.com/html/virus/explorezip.html
> >
> > Computer Associates
> > http://support.cai.com/Download/virussig.html
> >
> > Data Fellows
> > http://www.datafellows.com/news/pr/eng/19990610.htm
> >
> > McAfee, Inc. (a Network Associates company)
> >
http://www.mcafee.com/viruses/explorezip/protecting_yourself.as
> > p
> >
> > Network Associates Incorporated
> >
http://www.avertlabs.com/public/datafiles/valerts/vinfo/va10185
> > .asp
> >
> > Sophos, Incorporated
> > http://www.sophos.com/downloads/ide/index.html#explorez
> >
> > Symantec
> > http://www.sarc.com/avcenter/download.html
> >
> > Trend Micro Incorporated
> > http://www.antivirus.com/download/pattern.htm
> >
> >General protection from email Trojan horses and viruses
> >
> > Some previous examples of malicious files known to have propagated
> > through electronic mail include
> > * False upgrade to Internet Explorer - discussed in CA-99-02
> > http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html
> > * Melissa macro virus - discussed in CA-99-04
> > http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html
> > * Happy99.exe Trojan Horse - discussed in IN-99-02
> > http://www.cert.org/incident_notes/IN-99-02.html
> > * CIH/Chernobyl virus - discussed in IN-99-03
> > http://www.cert.org/incident_notes/IN-99-03.html
> >
> > In each of the above cases, the effects of the malicious file are
> > activated only when the file in question is executed. Social
> > engineering is typically employed to trick a recipient into executing
> > the malicious file. Some of the social engineering techniques we have
> > seen used include
> > * Making false claims that a file attachment contains a software
> > patch or update
> > * Implying or using entertaining content to entice a user into
> > executing a malicious file
> > * Using email delivery techniques which cause the message to appear
> > to have come from a familiar or trusted source
> > * Packaging malicious files in deceptively familiar ways (e.g., use
> > of familiar but deceptive program icons or file names)
> >
> > The best advice with regard to malicious files is to avoid executing
> > them in the first place. CERT advisory CA-99-02 discusses Trojan
> > horses and offers suggestions to avoid them (please see Section V).
> >
> > http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html
> >
> >Additional information
> >
> > Additional sources of virus information are listed at
> >
> > http://www.cert.org/other_sources/viruses.html
> >
______________________________________________________________________
> >
> > This document is available from:
> > http://www.cert.org/advisories/CA-99-06-explorezip.html.
> >
______________________________________________________________________
> >
> >CERT/CC Contact Information
> >
> > Email: cert@cert.org
> > Phone: +1 412-268-7090 (24-hour hotline)
> > Fax: +1 412-268-6989
> > Postal address:
> > CERT Coordination Center
> > Software Engineering Institute
> > Carnegie Mellon University
> > Pittsburgh PA 15213-3890
> > U.S.A.
> >
> > CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
> > Monday through Friday; they are on call for emergencies during other
> > hours, on U.S. holidays, and on weekends.
> >
> >Using encryption
> >
> > We strongly urge you to encrypt sensitive information sent by email.
> > Our public PGP key is available from
http://www.cert.org/CERT_PGP.key.
> > If you prefer to use DES, please call the CERT hotline for more
> > information.
> >
> >Getting security information
> >
> > CERT publications and other security information are available from
> > our web site http://www.cert.org/.
> >
> > To be added to our mailing list for advisories and bulletins, send
> > email to cert-advisory-request@cert.org and include SUBSCRIBE
> > your-email-address in the subject of your message.
> >
> > Copyright 1999 Carnegie Mellon University.
> > Conditions for use, disclaimers, and sponsorship information can be
> > found in http://www.cert.org/legal_stuff.html.
> >
> > * "CERT" and "CERT Coordination Center" are registered in the U.S.
> > Patent and Trademark Office
> >
______________________________________________________________________
> >
> > NO WARRANTY
> > Any material furnished by Carnegie Mellon University and the Software
> > Engineering Institute is furnished on an "as is" basis. Carnegie
> > Mellon University makes no warranties of any kind, either expressed
or
> > implied as to any matter including, but not limited to, warranty of
> > fitness for a particular purpose or merchantability, exclusivity or
> > results obtained from use of the material. Carnegie Mellon University
> > does not make any warranty of any kind with respect to freedom from
> > patent, trademark, or copyright infringement.
> >
> > Revision History
> >
> > June 10, 1999: Initial release
> >
> >-----BEGIN PGP SIGNATURE-----
> >Version: 2.6.2
> >
> >iQCVAwUBN2B33nVP+x0t4w7BAQEsGQQAjO8XmCFoS5bE4l3+fDdrd7vUGHn3l1WZ
> >HyUPO25ddtd50rsyHCTaSuxr9HUuzswm4DI+T80y6nt5i+NTiSIKWjL0Qo8C+9Xn
> >BsHQqjmRdDrWD/r6+ZHnoekrgNWWM+1Uy8XITOyzfntGA2mGz/DGkyHq4afElZw6
> >3SLhZ6GPtjA=
> >=Ja0e
> >-----END PGP SIGNATURE-----
>
> David Beierl - dbeierl@ibm.net
>
> ------------------------------------------------------------------------
> ONElist members are using Shared Files in great ways!
> http://www.onelist.com
> Are you? If not, see our homepage for details.
>
|