Countering New Wrapper Viruses
London, UK, 01:00 GMT 14th June 1999 - Worm Virus ExploreZip, a data
destruction virus with a Zip 'benign' wrapper around it has spread swiftly
on a global scale. "It is the first of many
wrapper based viruses, which can be dealt with early using a preventive security
architecture, middleware and proper man-machine procedures",
according to mi2g's Security Intelligence Products & Systems (SIPS)
The Worm virus ExploreZip, Melissa and Chernobyl are only the tip of the
iceburg. New and far more dangerous viruses are already being developed. As
an example, there is an entire breed of viruses that can move system clocks
forward or backward, thereby bringing the effects of the millennium bug early
or crashing invoicing systems. Also the disguise of wrapper delivery is going
to be a real threat in the coming months, whereby a benign wrapper, such as
a Graphic (jpeg or gif) or working document (txt, xls or doc), could be actually
delivering a lethal virus. Wrapper programs can be written in a sophisticated
way so that they are undetected for days or weeks while they spread through
a corporation's network before being activated by a remote signal. Therefore,
the first indication an IT Manager will have of a viral attack of this sort,
will be widespread damage within the organisation.
"Having developed and perfected counter terrorism
techniques for internet communities over the last three years, we know that
the bespoke security architecture and customised middleware needed to deal
with sophisticated viruses has not been understood, let alone installed, in
most corporations. Regrettably, the primary cause of this delay is lack of
appreciation at board level about the threat the internet is posing to business.
When a self-inoculation architecture is in place, the paralysis, which now
seems to come about in large corporations every time a sophisticated virus
hits them, will begin to recede." said DK Matai, Managing
Data recovery may take several days or may not be possible in all cases of
the new viral attacks. If data recovery is not an issue, because backup is
available, the safest method of cleaning the machine(s) is to reformat the
hard disk and reinstall the operating system and software applications.
"Until a corporation has deployed a foolproof
preventive security architecture, anti-virus computer security relies heavily
upon procedures, both human and machine based. Personnel need to be made fully
aware that they are risking business continuity by not adhering to established
e-mail guidelines for deleting messages with suspicious attachments from known
sources and all messages from unknown sources. Customised middleware must
also be installed to halt executables other than a trusted set of applications
like a word processor and spread sheet." added DK Matai.
1. 1999 is the year that is expected to end up with potentially the
biggest computer bug "Y2k" of all time and it has already seen three
major computer outbreaks in the first six months - Melissa, Chernobyl and
2. MELISSA - This computer virus struck at the end of March. It was
the fastest-spreading virus ever seen. It attacked over 100,000 computers
in less than a week. Sent via e-mail, it took control of Microsoft Outlook
address books and secretively sent up to 50 e-mail messages to various locations.
Melissa was just inconvenient. It blocked network capacity but caused no data
damage or destruction.
3. CHERNOBYL - Also known as CIH virus, it was timed to go off on
April 26th, the 13th anniversary of the Chernobyl nuclear disaster. The virus
overwrote the data on a target computer's hard drive, rendering it inoperable.
Deadly to computers, it was not as widespread as Melissa in Western countries
but caused severe disruption in Asia.
4. EXPLOREZIP - ExploreZip has the speed of Melissa and the destruction
capability of Chernobyl. If an e-mail message is received with a zipped file
attachment zipped_files.exe the message should be deleted. Organisations attacked
will have files damaged or destroyed. If the attachment is opened, the virus
will destroy any file including Word, Excel and Powerpoint as well as files
with the extension .h, .c, .cpp and .asm on the hard drive. The infected machine
should be taken off the network immediately because the Worm also searches
the mapped drives within the network for Windows Installations to modify the
initialisation and registry files. ExploreZip appears to begin by attacking
Microsoft based software only.
5. Y2K - The infections so far in 1999 could be an early dress rehearsal
for the widespread problems expected when some computers, embedded processors
and networks will be unable to distinguish the "00" in the year
2000 change. This is expected to cause widespread, costly damage to computer
systems and disruption to business activities.