Hi all ,please take care :
----
CERT Advisory CA-99-06 ExploreZip Trojan Horse Program
Original issue date: Thursday June 10, 1999
Source: CERT/CC
Systems Affected
* Machines running Windows 95, Windows 98, or Windows NT.
* Any mail handling system could experience performance
problems or
a denial of service as a result of the propagation of this
Trojan
horse program.
Overview
The CERT Coordination Center continues to receive reports and
inquiries regarding various forms of malicious executable
files that
are propagated as file attachments in electronic mail.
Most recently, the CERT/CC has received reports of sites
affected by
ExploreZip, a Windows Trojan horse program.
I. Description
The CERT/CC has received reports of a Trojan horse program
that is
propagating in email attachments. This program is called
ExploreZip.
The number and variety of reports we have received indicate
that this
has the potential to be a widespread attack affecting a
variety of
sites.
Our analysis indicates that this Trojan horse program requires
the
victim to run the attached zipped_files.exe program in order
install a
copy of itself and enable propagation.
Based on reports we have received, systems running Windows 95,
Windows
98, and Windows NT are the target platforms for this Trojan
horse
program. It is possible that under some mailer configurations,
a user
might automatically open a malicious file received in the form
of an
email attachment. This program is not known to exploit any new
vulnerabilities. While the primary transport mechanism of this
program
is via email, any way of transferring files can also propagate
the
program.
The ExploreZip Trojan horse has been propagated in the form of
email
messages containing the file zipped_files.exe as an
attachment. The
body of the email message usually appears to come from a known
email
correspondent, and may contain the following text:
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
The subject line of the message may not be predictable and may
appear
to be sent in reply to previous email.
Opening the zipped_files.exe file causes the program to
execute. At
this time, there is conflicting information about the exact
actions
taken by zipped_files.exe when executed. One possible reason
for
conflicting information may be that there are multiple
variations of
the program being propagated, although we have not confirmed
this one
way or the other. Currently, we have the following general
information
on actions taken by the program.
* The program searches local and networked drives (drive
letters C
through Z) for specific file types and attempts to erase
the
contents of the files, leaving a zero byte file. The
targets may
include Microsoft Office files, such as .doc, .xls, and
.ppt, and
various source code files, such as .c, .cpp, .h, and .asm.
* The program propagates by replying to any new email that
is
received by an infected computer. A copy of
zipped_files.exe is
attached to the reply message.
* The program creates an entry in the Windows 95/98 WIN.INI
file:
run=C:\WINDOWS\SYSTEM\Explore.exe
On Windows NT systems, an entry is made in the system
registry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows]
run = "c:\winnt\system32\explore.exe"
* The program creates a file called explore.exe in the
following
locations:
Windows 95/98 - c:\windows\system\explore.exe
Windows NT - c:\winnt\system32\explore.exe
This file is a copy of the zipped_files.exe Trojan horse,
and the
file size is 210432 bytes.
MD5 (Explore.exe) = 0e10993050e5ed199e90f7372259e44b
We will update this advisory with more specific information as
we are
able to confirm details. Please check the CERT/CC web site for
the
current version containing a complete revision history.
II. Impact
* Users who execute the zipped_files.exe Trojan horse will
infect
the host system, potentially causing targeted files to be
destroyed.
* Indirectly, this Trojan horse could cause a denial of
service on
mail servers. Several large sites have reported
performance
problems with their mail servers as a result of the
propagation of
this Trojan horse.
III. Solution
Use virus scanners
In order to detect and clean current viruses you must keep
your
scanning tools up to date with the latest definition files.
--
Cheers,
+----| Joao Paulo de Carvalho |------ +
| [log in to unmask] |
+--------| Salvador-Bahia-Brazil |------+
