Trojan Heads-Up

From: Lawrence Walker <lwalker_at_mail.interlog.com>
Date: Fri Jun 11 10:43:22 1999

 For all you Windblows leading edge people here's a heads-up.
Course if you use reliable, proven technology it doesn't apply. :^)

ciao larry

-------------------------------------------------------------------

before you open any attachmentes, Here is part of the info on a new
virus that replicates and sends messages, as well as destroying material
on your hard drive. More at the Carnegie Mellon site:
http://www.cert.org/advisories/CA-99-06-explorezip.html

CERTr Advisory CA-99-06 ExploreZip

 Trojan Horse Program

 Original issue date: Thursday June 10, 1999
 Source: CERT/CC
Systems Affected

Machines running Windows 95, Windows 98, or Windows NT.
      Any mail handling system could experience performance problems or
a denial of service as a result of the propagation of this Trojan horse
program.

       Overview

       The CERT Coordination Center continues to receive reports and
inquiries regarding various forms of malicious executable files that are
propagated as file attachments in electronic mail.

       Most recently, the CERT/CC has received reports of sites affected
by ExploreZip, a Windows Trojan horse program.

       I. Description

       The CERT/CC has received reports of a Trojan horse program that
is propagating in email attachments. This program is called ExploreZip.
The number and variety of reports we have received indicate that this
has the potential to be a widespread attack affecting a variety of
sites.

       Our analysis indicates that this Trojan horse program requires
the victim to run the attached zipped_files.exe program in order install
a copy of itself and enable propagation.

       Based on reports we have received, systems running Windows 95,
Windows 98, and Windows NT are the target platforms for this Trojan
horse program. It is possible that under some mailer configurations, a
user might automatically open a malicious file received in the form of
an email attachment. This program is not known to exploit any new
vulnerabilities.

       While the primary transport mechanism of this program is via
email, any way of transferring files can also propagate the program.

       The ExploreZip Trojan horse has been propagated in the form of
email messages containing the file zipped_files.exe as an attachment.
The body of the email message usually appears to come from a known email
correspondent, and may contain the following text:

            I received your email and I shall send you a reply ASAP.
            Till then, take a look at the attached zipped docs.

       The subject line of the message may not be predictable and may
appear to be sent in reply to previous email.

       Opening the zipped_files.exe file causes the program to execute.
At this time, there is conflicting information about the exact actions
taken by zipped_files.exe when executed. One possible reason for
conflicting information may be that there are multiple variations of the
program being propagated, although we have not confirmed this one way or
the other.
       Currently, we have the following general information on actions
taken by the program.

            The program searches local and networked drives (drive
letters C through Z) for specific file types and attempts to erase the
contents of the files, leaving a zero byte file. The targets may include
Microsoft Office files, such as .doc, .xls, and .ppt, and
various source code files, such as .c, .cpp, .h, and .asm.

            The program propagates by replying to any new email that is
received by an infected computer. A copy of zipped_files.exe is attached
to the reply message.

            The program creates an entry in the Windows 95/98 WIN.INI
file:

            run=C:\WINDOWS\SYSTEM\Explore.exe

            On Windows NT systems, an entry is made in the system
registry:

            [HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows]
            run = "c:\winnt\system32\explore.exe"

            The program creates a file called explore.exe in the
following locations:

            Windows 95/98 - c:\windows\system\explore.exe
            Windows NT - c:\winnt\system32\explore.exe

            This file is a copy of the zipped_files.exe Trojan horse,
and the file size is 210432 bytes.

            MD5 (Explore.exe) = 0e10993050e5ed199e90f7372259e44b

       We will update this advisory with more specific information as we
are able to confirm details. Please check the CERT/CC web site for the
current version containing a complete revision history.

------------------------------------------------------------------------
lwalker_at_interlog.com

Let us know of your upcoming computer events for our Events Page.
t3c_at_xoommail.com

Collectors List and info http://members.xoom.com/T3C
Received on Fri Jun 11 1999 - 10:43:22 BST

This archive was generated by hypermail 2.3.0 : Fri Oct 10 2014 - 23:32:16 BST