Countering New Wrapper Viruses

press release

London, UK, 01:00 GMT 14th June 1999 - Worm Virus ExploreZip, a data destruction virus with a Zip 'benign' wrapper around it has spread swiftly on a global scale. "It is the first of many wrapper based viruses, which can be dealt with early using a preventive security architecture, middleware and proper man-machine procedures", according to mi2g's Security Intelligence Products & Systems (SIPS) Division.

The Worm virus ExploreZip, Melissa and Chernobyl are only the tip of the iceburg. New and far more dangerous viruses are already being developed. As an example, there is an entire breed of viruses that can move system clocks forward or backward, thereby bringing the effects of the millennium bug early or crashing invoicing systems. Also the disguise of wrapper delivery is going to be a real threat in the coming months, whereby a benign wrapper, such as a Graphic (jpeg or gif) or working document (txt, xls or doc), could be actually delivering a lethal virus. Wrapper programs can be written in a sophisticated way so that they are undetected for days or weeks while they spread through a corporation's network before being activated by a remote signal. Therefore, the first indication an IT Manager will have of a viral attack of this sort, will be widespread damage within the organisation.

"Having developed and perfected counter terrorism techniques for internet communities over the last three years, we know that the bespoke security architecture and customised middleware needed to deal with sophisticated viruses has not been understood, let alone installed, in most corporations. Regrettably, the primary cause of this delay is lack of appreciation at board level about the threat the internet is posing to business. When a self-inoculation architecture is in place, the paralysis, which now seems to come about in large corporations every time a sophisticated virus hits them, will begin to recede." said DK Matai, Managing Director, mi2g.

Data recovery may take several days or may not be possible in all cases of the new viral attacks. If data recovery is not an issue, because backup is available, the safest method of cleaning the machine(s) is to reformat the hard disk and reinstall the operating system and software applications.

"Until a corporation has deployed a foolproof preventive security architecture, anti-virus computer security relies heavily upon procedures, both human and machine based. Personnel need to be made fully aware that they are risking business continuity by not adhering to established e-mail guidelines for deleting messages with suspicious attachments from known sources and all messages from unknown sources. Customised middleware must also be installed to halt executables other than a trusted set of applications like a word processor and spread sheet." added DK Matai.

Editor's Notes:

1. 1999 is the year that is expected to end up with potentially the biggest computer bug "Y2k" of all time and it has already seen three major computer outbreaks in the first six months - Melissa, Chernobyl and ExploreZip.

2. MELISSA - This computer virus struck at the end of March. It was the fastest-spreading virus ever seen. It attacked over 100,000 computers in less than a week. Sent via e-mail, it took control of Microsoft Outlook address books and secretively sent up to 50 e-mail messages to various locations. Melissa was just inconvenient. It blocked network capacity but caused no data damage or destruction.

3. CHERNOBYL - Also known as CIH virus, it was timed to go off on April 26th, the 13th anniversary of the Chernobyl nuclear disaster. The virus overwrote the data on a target computer's hard drive, rendering it inoperable. Deadly to computers, it was not as widespread as Melissa in Western countries but caused severe disruption in Asia.

4. EXPLOREZIP - ExploreZip has the speed of Melissa and the destruction capability of Chernobyl. If an e-mail message is received with a zipped file attachment zipped_files.exe the message should be deleted. Organisations attacked will have files damaged or destroyed. If the attachment is opened, the virus will destroy any file including Word, Excel and Powerpoint as well as files with the extension .h, .c, .cpp and .asm on the hard drive. The infected machine should be taken off the network immediately because the Worm also searches the mapped drives within the network for Windows Installations to modify the initialisation and registry files. ExploreZip appears to begin by attacking Microsoft based software only.

5. Y2K - The infections so far in 1999 could be an early dress rehearsal for the widespread problems expected when some computers, embedded processors and networks will be unable to distinguish the "00" in the year 2000 change. This is expected to cause widespread, costly damage to computer systems and disruption to business activities.