Explorer Worm propagating via shared files

The destructive "worm" that has spread itself via automated e-mail responses is also infiltrating systems via shared files on a network, according to an advisory issued by the Computer Emergency Response Team (CERT) in the US.

The ExplorerZip.worm searches a network "for all shares that contain a WIN.INI file with a valid [Windows] section in the file", CERT said. Once found, it will attempt to copy itself to a file called setup.exe on that share and modify the WIN.INI file by adding "run=setup.exe", CERT said.

CERT said machines running Windows 95, Windows 98 or NT are believed to be affected, as well as machines with file systems or shared files that can be changed by an infected user.

Even antivirus vendors aren't immune.

Trend Micro discovered that ExplorerZip.worm tries to gain access to other computers, destroying shared files and attempting to infect computers as well, said company spokeswoman Susan Orbuch.

The antivirus vendor received the worm in what appeared to be a normal document, Orbuch said. (The company generally receives virus samples in zipped documents.) Trend Micro contained it immediately but didn't realise it had been passed along to one executive, Orbuch said. The worm attacked through a link the executive had created to share files with someone else, resulting in several destroyed files.

The worm is "much more pernicious than what was originally thought", Orbuch said, and "much more complex and sophisticated" than its famous recent predecessor, Melissa. "Whoever wrote this was clever," she added.

The latest twist will force information technology teams and users to be clever as well. They will have to be aware of autofile backups, Orbuch said, because if systems are infected, that could result in files being overwritten as empty.

Join the newsletter!

Error: Please check your email address.

More about CERT AustraliaComputer Emergency Response TeamTrend Micro AustraliaVIA

Show Comments
[]