Date: Thu, 10 Jun 1999 22:30:25 -0500 From: Simple Nomad To: BUGTRAQ@netspace.org Subject: Info on Worm.ExploreZip Info on Worm.ExploreZip: I'm in the process of cleanup - my day job employer got hit, and we're NT with no 95/98 to speak of. Here are some interesting tidbits that I haven't seen on some of the commercial Anti-Virus web sites regarding NT. Payload: - The trojan can come into any email client, obviously. If executed, it will proceed to go active in memory. In other words, you do not need Outlook for the Payload to activate, just a Win32 machine. A Notes mail client user probably did the most damage in our environment to network NT file servers. - It will have a process running called _setup.exe, zipped_f.exe, and possibly explore.exe. - One of our users reported seeing explore.exe running as an application, although I wasn't able to confirm this. - It deletes files with *.h, *.c, *.cpp, *.asm, *.doc, *.xls, and *.ppt extensions on all drives (C through Z) that are currently mapped. - Every few minutes it will repeat the deletion process. This is particularly nasty if you are trying to do restores to network drives while the virus is still active in your environment. Progation: - On the Melissa-style method of propagation, it checks the user's Inbox in Outlook. The Outlook client does not have to be running, as the trojan uses MAPI calls. - Propagation is triggered by the arrival of a new message into the Outlook's Inbox. - Once triggered, the virus takes the first two names in the header and uses it to plug into the text of the message. If more than one user name is in the message header (possible if you are using distribution lists or role-based mail boxes that forward mail to multiple people) it is possible the names will not be in the correct order. Also if you use Lastname, Firstname as a naming convention you will get Lastname, plugged into the messages. - It creates the message with the names and attaches the trojan, naming it zipped_files.exe with the happy message as reported on most Anti-Virus vendor sites. - In other words, you send an email to billg@microsoft.com with a subject of Microsoft Sucks, he's infected and his machine is up and running, you will get a reply with a subject of Re: Microsoft Sucks with the attachment. I mean he says he'll get back with you and to read the attached zipped docs, and you being Joe/Josey corporate user check it out. False message saying it's a corrupt zip, blah, blah, blah, and now you're sending out trojans. We got hit when email was sent to some engineers at Microsoft, and the reply came back with the trojan. The nature of the email sent to Microsoft was "where is the info we requested" so it seemed natural that the attachment was supposed to be a self-extracting zip. That's right, Microsoft got hit, so I would guess a few source code files and Office docs were wiped. Hopefully as Microsoft starts the slow process of restoring Office docs and source code (!) they will discover what the rest of us have known all along -- the security model is less than ideal (which is, um, an understatement). Another interesting note, the APIs that the Exchange Anti-Virus vendors use to scan Exchange mailstores only scan on messages inbound to the mailstore. This means that outbound messages are not scanned. We had an affected machine that replied to messages from the Internet with the trojan attachment as our Exchange outbound goes straight to a Unix machine on its way to the Internet. Fortunately we had a process running on the Unix box to catch inbound and outbound email with the attachments named zipped_files.exe and it was stopped, but this was why we saw our Exchange AntiVirus *not* catch the message. Why do the Anti-Virus vendors only use APIs that catch inbound messages? Because that is all Microsoft has given them. Most of the vendors have really been pressuring Microsoft to release info about coding to check for outbound messages. Final tidbits (sorry if this message isn't very coherent, it's late and I've been up a long time): the trojan was written using Borland Delphi, and was possibly compiled on April 14, 1999. Obviously the virus writer got the idea for the propagation method from Melissa, and one can only wonder what the next worm/trojan/virus will do. Simple Nomad // thegnome@nmrc.org // ....no rest for the Wicca'd.... www.nmrc.org // ---------------------------------------------------------------------------- Date: Thu, 10 Jun 1999 23:58:21 -0400 From: CERT Advisory Reply-To: cert-advisory-request@cert.org To: cert-advisory@coal.cert.org Subject: CERT Advisory CA-99.06 - ExploreZip Trojan Horse Program -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-99-06 ExploreZip Trojan Horse Program Original issue date: Thursday June 10, 1999 Source: CERT/CC Systems Affected * Machines running Windows 95, Windows 98, or Windows NT. * Any mail handling system could experience performance problems or a denial of service as a result of the propagation of this Trojan horse program. Overview The CERT Coordination Center continues to receive reports and inquiries regarding various forms of malicious executable files that are propagated as file attachments in electronic mail. Most recently, the CERT/CC has received reports of sites affected by ExploreZip, a Windows Trojan horse program. I. Description The CERT/CC has received reports of a Trojan horse program that is propagating in email attachments. This program is called ExploreZip. The number and variety of reports we have received indicate that this has the potential to be a widespread attack affecting a variety of sites. Our analysis indicates that this Trojan horse program requires the victim to run the attached zipped_files.exe program in order install a copy of itself and enable propagation. Based on reports we have received, systems running Windows 95, Windows 98, and Windows NT are the target platforms for this Trojan horse program. It is possible that under some mailer configurations, a user might automatically open a malicious file received in the form of an email attachment. This program is not known to exploit any new vulnerabilities. While the primary transport mechanism of this program is via email, any way of transferring files can also propagate the program. The ExploreZip Trojan horse has been propagated in the form of email messages containing the file zipped_files.exe as an attachment. The body of the email message usually appears to come from a known email correspondent, and may contain the following text: I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. The subject line of the message may not be predictable and may appear to be sent in reply to previous email. Opening the zipped_files.exe file causes the program to execute. At this time, there is conflicting information about the exact actions taken by zipped_files.exe when executed. One possible reason for conflicting information may be that there are multiple variations of the program being propagated, although we have not confirmed this one way or the other. Currently, we have the following general information on actions taken by the program. * The program searches local and networked drives (drive letters C through Z) for specific file types and attempts to erase the contents of the files, leaving a zero byte file. The targets may include Microsoft Office files, such as .doc, .xls, and .ppt, and various source code files, such as .c, .cpp, .h, and .asm. * The program propagates by replying to any new email that is received by an infected computer. A copy of zipped_files.exe is attached to the reply message. * The program creates an entry in the Windows 95/98 WIN.INI file: run=C:\WINDOWS\SYSTEM\Explore.exe On Windows NT systems, an entry is made in the system registry: [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows] run = "c:\winnt\system32\explore.exe" * The program creates a file called explore.exe in the following locations: Windows 95/98 - c:\windows\system\explore.exe Windows NT - c:\winnt\system32\explore.exe This file is a copy of the zipped_files.exe Trojan horse, and the file size is 210432 bytes. MD5 (Explore.exe) = 0e10993050e5ed199e90f7372259e44b We will update this advisory with more specific information as we are able to confirm details. Please check the CERT/CC web site for the current version containing a complete revision history. II. Impact * Users who execute the zipped_files.exe Trojan horse will infect the host system, potentially causing targeted files to be destroyed. * Indirectly, this Trojan horse could cause a denial of service on mail servers. Several large sites have reported performance problems with their mail servers as a result of the propagation of this Trojan horse. III. Solution Use virus scanners In order to detect and clean current viruses you must keep your scanning tools up to date with the latest definition files. Please see the following anti-virus vendor resources for more information about the characteristics and removal techniques for the malicious file known as ExploreZip. Central Command http://www.avp.com/upgrade/upgrade.html Command Software Systems, Inc http://www.commandcom.com/html/virus/explorezip.html Computer Associates http://support.cai.com/Download/virussig.html Data Fellows http://www.datafellows.com/news/pr/eng/19990610.htm McAfee, Inc. (a Network Associates company) http://www.mcafee.com/viruses/explorezip/protecting_yourself.as p Network Associates Incorporated http://www.avertlabs.com/public/datafiles/valerts/vinfo/va10185 .asp Sophos, Incorporated http://www.sophos.com/downloads/ide/index.html#explorez Symantec http://www.sarc.com/avcenter/download.html Trend Micro Incorporated http://www.antivirus.com/download/pattern.htm General protection from email Trojan horses and viruses Some previous examples of malicious files known to have propagated through electronic mail include * False upgrade to Internet Explorer - discussed in CA-99-02 http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html * Melissa macro virus - discussed in CA-99-04 http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html * Happy99.exe Trojan Horse - discussed in IN-99-02 http://www.cert.org/incident_notes/IN-99-02.html * CIH/Chernobyl virus - discussed in IN-99-03 http://www.cert.org/incident_notes/IN-99-03.html In each of the above cases, the effects of the malicious file are activated only when the file in question is executed. Social engineering is typically employed to trick a recipient into executing the malicious file. Some of the social engineering techniques we have seen used include * Making false claims that a file attachment contains a software patch or update * Implying or using entertaining content to entice a user into executing a malicious file * Using email delivery techniques which cause the message to appear to have come from a familiar or trusted source * Packaging malicious files in deceptively familiar ways (e.g., use of familiar but deceptive program icons or file names) The best advice with regard to malicious files is to avoid executing them in the first place. CERT advisory CA-99-02 discusses Trojan horses and offers suggestions to avoid them (please see Section V). http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html Additional information Additional sources of virus information are listed at http://www.cert.org/other_sources/viruses.html ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-99-06-explorezip.html. ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key. If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/. To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. Copyright 1999 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html. * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. Revision History June 10, 1999: Initial release -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBN2B33nVP+x0t4w7BAQEsGQQAjO8XmCFoS5bE4l3+fDdrd7vUGHn3l1WZ HyUPO25ddtd50rsyHCTaSuxr9HUuzswm4DI+T80y6nt5i+NTiSIKWjL0Qo8C+9Xn BsHQqjmRdDrWD/r6+ZHnoekrgNWWM+1Uy8XITOyzfntGA2mGz/DGkyHq4afElZw6 3SLhZ6GPtjA= =Ja0e -----END PGP SIGNATURE-----