Subject CA-99-06 ExploreZip Trojan Horse Program Date 14-Jun-99
9b4aa3b1e429d10da25630acab44397c28c67b8ba21c2b2d467c824a36c95c4c-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===============================================================================
>> CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl. Links <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>> <<
>> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the <<
>> complete CERT-CC advisory texts: http://www.cert.org <<
===============================================================================
===============================================================================
Security Advisory CERT-NL
===============================================================================
Author/Source : Xander Jansen Index : S-99-15
Distribution : World Page : 1
Classification: External Version: 2
Subject : CA-99-06 ExploreZip Trojan Horse Program Date : 14-Jun-99
===============================================================================
Attention!! This bulletin has been updated!
By courtesy of CERT Coordination Center we received information about a new
trojan horse/worm distributed and propagating itself currently through email
attachments. This malicious trojan horse/worm potentially can destroy files
on Windows 95, Windows 98 and Windows NT systems and, by spreading itself
through email, can potentially result in performance problems on mail
handling systems.
A full description of the way the trojan horse/worm is distributed and what
can be done to prevent the spreading and execution of the program is
attached below in the full text of the CERT/CC advisory.
CERT-NL recommends to update your virus scanners. Most vendors of virus
scanners have updates available on their websites that can detect this new
trojan horse/worm. See below for a list of URL's. Furthermore DO NOT
open/run email attachments called zipped_files.exe even if they appear to
come from someone you know.
The full text of the CERT/CC advisory is included below. CERT Coordination
Center advisories are also mirrored by CERT-NL. The specific URL for this
case is:
> ftp://ftp.surfnet.nl/surfnet/net-security/cert-cc-mirror/cert_advisories/CA-99-06-explorezip.txt
More information about the CERT-NL mirror and notifier services is
contained in News items N-95-01 (notifier) and N-95-02 (CERT mirror),
both present on ftp://ftp.surfnet.nl/surfnet/net-security/cert-nl/docs/news/
===============================================================================
CERT Advisory CA-99-06-explorezip
Original issue date: Thursday June 10, 1999
Last Revised Date: June 14, 1999
Added information about the program's self-propagation via networked
shares; also updated anti-virus vendor URLs.
Source: CERT/CC
Note: The CERT Coordination Center has discovered new information
regarding the ExploreZip worm. This re-issue of CERT Advisory CA-99-06
contains new information regarding an additional means by which the
Worm can spread, and a caution about disinfecting your systems. We
will continue to update this advisory as new information is
discovered. We encourage you to check our web site frequently for any
new information.
Systems Affected
* Machines running Windows 95, Windows 98, or Windows NT.
* Machines with filesystems and/or shares that are writable by a
user of an infected system.
* Any mail handling system could experience performance problems or
a denial of service as a result of the propagation of this Trojan
horse program.
Overview
The CERT Coordination Center continues to receive reports and
inquiries regarding various forms of malicious executable files that
are propagated as file attachments in electronic mail.
During the second week of June 1999, the CERT/CC began receiving
reports of sites affected by ExploreZip, a Trojan horse/worm program
that affects Windows systems and has propagated in email attachments.
The number and variety of reports we have received indicate that this
has the potential to be a widespread attack affecting a variety of
sites.
I. Description
Our original analysis indicated that the ExploreZip program is a
Trojan horse, since it initially requires a victim to open or run an
email attachment in order for the program to install a copy of itself
and enable further propagation. Further analysis has shown that, once
installed, the program may also behave as a worm, and it may be able
to propagate itself, without any human interaction, to other networked
machines that have certain writable shares.
The ExploreZip Trojan horse has been propagated between users in the
form of email messages containing an attached file named
zipped_files.exe. Some email programs may display this attachment
with a "WinZip" icon. The body of the email message usually appears to
come from a known email correspondent, and typically contains the
following text:
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
The subject line of the message may not be predictable and may appear
to be sent in reply to previous email.
Opening the zipped_files.exe file causes the program to execute. It is
possible under some mailer configurations that a user might
automatically open a malicious file received in the form of an email
attachment. When the program is run, an error message is displayed:
Cannot open file: it does not appear to be a valid archive. If this
file is part of a ZIP format backup set, insert the last disk
of the backup set and try again. Please press F1 for help.
Destruction of files
* The program searches local and networked drives (drive letters C
through Z) for specific file types and attempts to erase the
contents of the files, leaving a zero byte file. The targets may
include Microsoft Office files, such as .doc, .xls, and .ppt, and
various source code files, such as .c, .cpp, .h, and .asm.
* The program may also be able to delete files that are writable to
it via SMB/CIFS file sharing. The program appears to look through
the network neighborhood and delete any files that are shared and
writable, even if those shares are not mapped to networked drives
on the infected computer.
* The program appears to continually delete the contents of targeted
files on any mapped networked drives.
The program does not appear to delete files with the "hidden" or
"system" attribute, regardless of their extension.
System modifications
* The zipped_files.exe program creates a copy of itself in a file
called explore.exe in the following location(s):
On Windows 98 - C:\WINDOWS\SYSTEM\Explore.exe
On Windows NT - C:\WINNT\System32\Explore.exe
This explore.exe file is an identical copy of the zipped_files.exe
Trojan horse, and the file size is 210432 bytes.
MD5 (Explore.exe) = 0e10993050e5ed199e90f7372259e44b
* On Windows 98 systems, the zipped_files.exe program creates an
entry in the WIN.INI file:
run=C:\WINDOWS\SYSTEM\Explore.exe
On Windows NT systems, an entry is made in the system registry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows]
run = "C:\WINNT\System32\Explore.exe"
Propagation via file sharing
Once explore.exe is running, it takes the following steps to propagate
to other systems via file sharing:
* Each time the program is executed, the program will search the
network for all shares that contain a WIN.INI file with a valid
"[windows]" section in the file.
* For each such share that it finds, the program will attempt to
+ copy itself to a file named _setup.exe on that share
+ modify the WIN.INI file on that share by adding the entry
"run=_setup.exe"
The account running the program on the original infected machine
needs to have permission to write to the second victim's shared
directory. (That is, no vulnerabilities are being exploited in
order for the program to spread in this manner.)
The _setup.exe file is identical to the zipped_files.exe and
explore.exe files on the original infected machine.
* The original infected system will continue to scan shares that
have been mapped to a local drive letter containing a valid
WIN.INI file. For each such share that is found, the program will
"re-infect" the victim system as described above.
On Windows 98 systems that have a "run=_setup.exe" entry in the
WIN.INI file (as described previously), the C:\WINDOWS\_setup.exe
program is executed automatically whenever a user logs in. On Windows
NT systems, a "run=_setup.exe" entry in the WIN.INI file does not
appear to cause the program to be executed automatically.
When run as _setup.exe, the program will attempt to
* make another copy of itself in C:\WINDOWS\SYSTEM\Explore.exe
* modify the WIN.INI file again by replacing the "run=_setup.exe"
entry with "run=C:\WINDOWS\SYSTEM\Explore.exe"
Note that when the program is run as _setup.exe, it configures the
system to later run as explore.exe. But when run as explore.exe, it
attempts to infect shares with valid WIN.INI files by configuring
those files to run _setup.exe. Since this infection process includes
local shares, affected systems may exhibit a "ping pong" behavior in
which the infected host alternates between the two states.
Propagation via email
The program propagates by replying to any new email that is received
by the infected computer. The reply messages are similar to the
original email described above, each containing another copy of the
zipped_files.exe attachment.
We will continue to update this advisory with more specific
information as we are able to confirm details. Please check the
CERT/CC web site for the current version containing a complete
revision history.
II. Impact
* Users who execute the zipped_files.exe Trojan horse will infect
the host system, potentially causing targeted files to be
destroyed.
* Users who execute the Trojan horse may also infect other networked
systems that have writable shares.
* Because of the large amount of network traffic generated by
infected machines, network performance may suffer.
* Indirectly, this Trojan horse could cause a denial of service on
mail servers. Several large sites have reported performance
problems with their mail servers as a result of the propagation of
this Trojan horse.
III. Solution
Use virus scanners
While many anti-virus products are able to detect and remove the
executables locally, because of the continuous re-infection process,
simply removing all copies of the program from an infected system may
leave your system open to re-infection at a later time, perhaps
immediately. To prevent re-infection, you must not serve any shares
containing a WIN.INI file to any potentially infected machines. If you
share files with everyone in your domain, then you must disable shares
with WIN.INI files until every machine on your network has been
disinfected.
In order to detect and clean current viruses, you must keep your
scanning tools up to date with the latest definition files. Please see
the following anti-virus vendor resources for more information about
the characteristics and removal techniques for the malicious file
known as ExploreZip.
Aladdin Knowledge Systems, Inc.
http://www.esafe.com/vcenter/explore.html
Central Command
http://www.avp.com/zippedfiles/zippedfiles.html
Command Software Systems, Inc
http://www.commandcom.com/html/virus/explorezip.html
Computer Associates
http://www.cai.com/virusinfo/virusalert.htm
Data Fellows
http://www.datafellows.com/news/pr/eng/19990610.htm
McAfee, Inc. (a Network Associates company)
http://www.mcafee.com/viruses/explorezip/default.asp
Network Associates Incorporated
http://www.avertlabs.com/public/datafiles/valerts/vinfo/va10185
.asp
Sophos, Incorporated
http://www.sophos.com/downloads/ide/index.html#explorez
Symantec
http://www.symantec.com/avcenter/venc/data/worm.explore.zip.htm
l
Trend Micro Incorporated
http://www.antivirus.com/vinfo/alerts.htm
Additional sources of virus information are listed at
http://www.cert.org/other_sources/viruses.html
Additional suggestions
* Blocking Netbios traffic at your network border may help prevent
propagation via shares from outside your network perimeter.
* Disable file serving on workstations. You will not be able to
share your files with other computers, but you will be able to
browse and get files from servers. This will prevent your
workstation from being infected via file sharing propagation.
* Maintain a regular, off-line, backup cycle.
General protection from email Trojan horses and viruses
Some previous examples of malicious files known to have propagated
through electronic mail include
* False upgrade to Internet Explorer - discussed in CA-99-02
http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html
* Melissa macro virus - discussed in CA-99-04
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html
* Happy99.exe Trojan Horse - discussed in IN-99-02
http://www.cert.org/incident_notes/IN-99-02.html
* CIH/Chernobyl virus - discussed in IN-99-03
http://www.cert.org/incident_notes/IN-99-03.html
In each of the above cases, the effects of the malicious file are
activated only when the file in question is executed. Social
engineering is typically employed to trick a recipient into executing
the malicious file. Some of the social engineering techniques we have
seen used include
* Making false claims that a file attachment contains a software
patch or update
* Implying or using entertaining content to entice a user into
executing a malicious file
* Using email delivery techniques which cause the message to appear
to have come from a familiar or trusted source
* Packaging malicious files in deceptively familiar ways (e.g., use
of familiar but deceptive program icons or file names)
The best advice with regard to malicious files is to avoid executing
them in the first place. CERT advisory CA-99-02 discusses Trojan
horses and offers suggestions to avoid them (please see Section V).
http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-99-06-explorezip.html.
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from http://www.cert.org/CERT_PGP.key.
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site http://www.cert.org/.
To be added to our mailing list for advisories and bulletins, send
email to cert-advisory-request@cert.org and include SUBSCRIBE
your-email-address in the subject of your message.
Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be
found in http://www.cert.org/legal_stuff.html.
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
Revision History
June 10, 1999: Initial release
June 11, 1999: Added information about the appearance of the attached file
Added information from Aladdin Knowledge Systems, Inc.
June 14, 1999: Added information about the program's self-propagation via
networked shares; also updated anti-virus vendor URLs
==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).
All CERT-NL material is available under:
http://cert.surfnet.nl/
In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).
CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS
Phone: +31 302 305 305 BUSINESS HOURS ONLY
Fax: +31 302 305 329 BUSINESS HOURS ONLY
Snailmail: SURFnet bv
Attn. CERT-NL
P.O. Box 19035
NL - 3501 DA UTRECHT
The Netherlands
NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i
iQA/AwUBOL6IqDSYjBqwfc9jEQJU6QCg+d1FCvFbnqc3ZkXTWW8pM7GXGuMAoKPw
mpzOPEY7gO0BGQSuGgDdOzSR
=BFSC
-----END PGP SIGNATURE-----
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed