[10796] in bugtraq

home help back first fref pref prev next nref lref last post

CERT Advisory CA-99.06 - ExploreZip Trojan Horse Program

daemon@ATHENA.MIT.EDU (aleph1@UNDERGROUND.ORG)
Fri Jun 11 13:30:52 1999

Content-Type: application/pgp; format=text; x-action=sign
Message-Id: <19990611180113.17749.qmail@underground.org>
Date: 	Fri, 11 Jun 1999 11:01:13 -0700
Reply-To: cert-advisory-request@cert.org
From: aleph1@UNDERGROUND.ORG
To: BUGTRAQ@NETSPACE.ORG

-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-99-06 ExploreZip Trojan Horse Program

   Original issue date: Thursday June 10, 1999
   Source: CERT/CC

Systems Affected

     * Machines running Windows 95, Windows 98, or Windows NT.
     * Any mail handling system could experience performance problems or
       a denial of service as a result of the propagation of this Trojan
       horse program.

Overview

   The CERT Coordination Center continues to receive reports and
   inquiries regarding various forms of malicious executable files that
   are propagated as file attachments in electronic mail.

   Most recently, the CERT/CC has received reports of sites affected by
   ExploreZip, a Windows Trojan horse program.

I. Description

   The CERT/CC has received reports of a Trojan horse program that is
   propagating in email attachments. This program is called ExploreZip.
   The number and variety of reports we have received indicate that this
   has the potential to be a widespread attack affecting a variety of
   sites.

   Our analysis indicates that this Trojan horse program requires the
   victim to run the attached zipped_files.exe program in order install a
   copy of itself and enable propagation.

   Based on reports we have received, systems running Windows 95, Windows
   98, and Windows NT are the target platforms for this Trojan horse
   program. It is possible that under some mailer configurations, a user
   might automatically open a malicious file received in the form of an
   email attachment. This program is not known to exploit any new
   vulnerabilities. While the primary transport mechanism of this program
   is via email, any way of transferring files can also propagate the
   program.

   The ExploreZip Trojan horse has been propagated in the form of email
   messages containing the file zipped_files.exe as an attachment. The
   body of the email message usually appears to come from a known email
   correspondent, and may contain the following text:

   I received your email and I shall send you a reply ASAP.
          Till then, take a look at the attached zipped docs.

   The subject line of the message may not be predictable and may appear
   to be sent in reply to previous email.

   Opening the zipped_files.exe file causes the program to execute. At
   this time, there is conflicting information about the exact actions
   taken by zipped_files.exe when executed. One possible reason for
   conflicting information may be that there are multiple variations of
   the program being propagated, although we have not confirmed this one
   way or the other. Currently, we have the following general information
   on actions taken by the program.

     * The program searches local and networked drives (drive letters C
       through Z) for specific file types and attempts to erase the
       contents of the files, leaving a zero byte file. The targets may
       include Microsoft Office files, such as .doc, .xls, and .ppt, and
       various source code files, such as .c, .cpp, .h, and .asm.
     * The program propagates by replying to any new email that is
       received by an infected computer. A copy of zipped_files.exe is
       attached to the reply message.
     * The program creates an entry in the Windows 95/98 WIN.INI file:
       run=C:\WINDOWS\SYSTEM\Explore.exe
       On Windows NT systems, an entry is made in the system registry:
       [HKEY_CURRENT_USER\Software\Microsoft\Windows
       NT\CurrentVersion\Windows]
       run = "c:\winnt\system32\explore.exe"
     * The program creates a file called explore.exe in the following
       locations:
       Windows 95/98 - c:\windows\system\explore.exe
       Windows NT - c:\winnt\system32\explore.exe
       This file is a copy of the zipped_files.exe Trojan horse, and the
       file size is 210432 bytes.
       MD5 (Explore.exe) = 0e10993050e5ed199e90f7372259e44b

   We will update this advisory with more specific information as we are
   able to confirm details. Please check the CERT/CC web site for the
   current version containing a complete revision history.

II. Impact

     * Users who execute the zipped_files.exe Trojan horse will infect
       the host system, potentially causing targeted files to be
       destroyed.
     * Indirectly, this Trojan horse could cause a denial of service on
       mail servers. Several large sites have reported performance
       problems with their mail servers as a result of the propagation of
       this Trojan horse.

III. Solution

Use virus scanners

   In order to detect and clean current viruses you must keep your
   scanning tools up to date with the latest definition files.

   Please see the following anti-virus vendor resources for more
   information about the characteristics and removal techniques for the
   malicious file known as ExploreZip.

   Central Command
          http://www.avp.com/upgrade/upgrade.html

          Command Software Systems, Inc
          http://www.commandcom.com/html/virus/explorezip.html

          Computer Associates
          http://support.cai.com/Download/virussig.html

          Data Fellows
          http://www.datafellows.com/news/pr/eng/19990610.htm

          McAfee, Inc. (a Network Associates company)
          http://www.mcafee.com/viruses/explorezip/protecting_yourself.as
          p

          Network Associates Incorporated
          http://www.avertlabs.com/public/datafiles/valerts/vinfo/va10185
          .asp

          Sophos, Incorporated
          http://www.sophos.com/downloads/ide/index.html#explorez

          Symantec
          http://www.sarc.com/avcenter/download.html

          Trend Micro Incorporated
          http://www.antivirus.com/download/pattern.htm

General protection from email Trojan horses and viruses

   Some previous examples of malicious files known to have propagated
   through electronic mail include
     * False upgrade to Internet Explorer - discussed in CA-99-02
       http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html
     * Melissa macro virus - discussed in CA-99-04
       http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html
     * Happy99.exe Trojan Horse - discussed in IN-99-02
       http://www.cert.org/incident_notes/IN-99-02.html
     * CIH/Chernobyl virus - discussed in IN-99-03
       http://www.cert.org/incident_notes/IN-99-03.html

   In each of the above cases, the effects of the malicious file are
   activated only when the file in question is executed. Social
   engineering is typically employed to trick a recipient into executing
   the malicious file. Some of the social engineering techniques we have
   seen used include
     * Making false claims that a file attachment contains a software
       patch or update
     * Implying or using entertaining content to entice a user into
       executing a malicious file
     * Using email delivery techniques which cause the message to appear
       to have come from a familiar or trusted source
     * Packaging malicious files in deceptively familiar ways (e.g., use
       of familiar but deceptive program icons or file names)

   The best advice with regard to malicious files is to avoid executing
   them in the first place. CERT advisory CA-99-02 discusses Trojan
   horses and offers suggestions to avoid them (please see Section V).

   http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html

Additional information

   Additional sources of virus information are listed at

   http://www.cert.org/other_sources/viruses.html
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-99-06-explorezip.html.
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from http://www.cert.org/CERT_PGP.key.
   If you prefer to use DES, please call the CERT hotline for more
   information.

Getting security information

   CERT publications and other security information are available from
   our web site http://www.cert.org/.

   To be added to our mailing list for advisories and bulletins, send
   email to cert-advisory-request@cert.org and include SUBSCRIBE
   your-email-address in the subject of your message.

   Copyright 1999 Carnegie Mellon University.
   Conditions for use, disclaimers, and sponsorship information can be
   found in http://www.cert.org/legal_stuff.html.

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office
   ______________________________________________________________________

   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Revision History

   June 10, 1999: Initial release

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBN2B33nVP+x0t4w7BAQEsGQQAjO8XmCFoS5bE4l3+fDdrd7vUGHn3l1WZ
HyUPO25ddtd50rsyHCTaSuxr9HUuzswm4DI+T80y6nt5i+NTiSIKWjL0Qo8C+9Xn
BsHQqjmRdDrWD/r6+ZHnoekrgNWWM+1Uy8XITOyzfntGA2mGz/DGkyHq4afElZw6
3SLhZ6GPtjA=
=Ja0e
-----END PGP SIGNATURE-----

home help back first fref pref prev next nref lref last post