If you thought Melissa was nasty, hang on to your hard drive because there's a bigger, badder virus in town.
Worm.ExploreZip, a Trojan horse virus discovered in Israel and reported to Symantec's AntiVirus Research Center last Sunday, dupes Microsoft Outlook and Exchange users by automatically answering incoming e-mail. It sends a response with your name and the same subject header.
Unlike Melissa, however, Worm.ExploreZip attaches destructive files.
"From the day Melissa hit, we've seen a tremendous up-tick in the virus-writing underground and hacker community of people trying to take the effectiveness of Melissa and attach a destructive payload to it. This virus appears to have succeeded," says Wes Wasson, director of product marketing for Network Associates Inc. (NAI). The company's McAfee division updated its detection software to recognize the virus earlier this week, but raised the risk-assessment profile to high yesterday morning.
An e-mail message infected by Worm.ExploreZip contains an attachment called zipped_files.exe. The body of the message reads: "Hi (recipient's name)! I received your e-mail and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. Bye."
If the recipient opens the attached file, the virus replicates itself, takes control of the recipient's mail client, scans the address book to propagate itself, and responds to every e-mail message the PC receives.
Furthermore, the Worm.ExploreZip virus can destroy any file with a .h, .c, .cpp, .asm, .doc, .ppt, or .xls extension on your hard drive or mapped drives, according to a virus alert posted on Symantec's Web site. It destroys files on the C through Z drives by truncating them to 0 bytes.
Several major US businesses temporarily shut down their e-mail systems on Friday as a direct result of the Worm.ExploreZip virus, also known as the W32.ExploreZip Worm. Affected companies include Microsoft, NBC and General Electric, according to the antivirus companies whose software the victims license.
The new worm apparently only affects Windows machines running MAPI e-mail clients, such as Outlook, Launching the attachment sets up a monitoring application that responds to all incoming mail with this note and attachment. But unlike Melissa, which only existed to replicate, this worm copies itself to the user's system directory as explore.exe -- so that it runs on every reboot -- and scans the hard drive, rendering useless Microsoft Word, Excel and PowerPoint files, as well as C programs.
According to antivirus software vendor Trend Micro, it only affects users with a personal folder in their desktop mail clients; it does not run off shared Exchange servers.