ExploreZip, the worm that devastated systems in June, is now back in a compressed version that is slipping through anti-virus security systems. The worm infected several major companies yesterday.
Dubbed MiniZip by some security vendors - a reference to how the worm has been compressed - the latest outbreak uses exactly the same technology as ExploreZip, the only difference being that it has been compressed in a format that masks it from security systems which scan incoming messages for attacks. While many anti-virus applications now scan compressed files (and all scan for ExploreZip) the creator of MiniZip used a lesser-known shareware compression system called Neolite to render it invisible to anti-virus security systems.
"[ExploreZip] hasn't been altered at all: All someone did was store it in a very unusual compression format, called Neolite," said Dan Schrader, vice president of new technology at Trend Micro. "We already scan for compressed files, but they chose one that we don't [scan for] so far."
Security firms Symantec, Network Associates, Trend Micro and others received numerous copies of the compressed worm from several infected Fortune 500 companies on Tuesday. Security company Symantec received an initial example last week, but it was not until Tuesday that it became evident how serious the situation was.
"We had one submission last week, and at the time it wasn't spreading that much," said Vincent Weafer, director of the Symantec Antivirus Research Centre. "Based on customer submissions today [Tuesday], it's spreading rapidly."
Following the original course of ExploreZip in June, it is expected that Asia will see infections rise over Tuesday night, and Europe soon after, according to security vendors.
"We've had 10 companies hit in the last four hours," said Sal Viveros, group marketing manager for Total Virus Defense for Network Associates. "We're hearing from other people that some other big companies are being hit. If [MiniZip follows the same pattern as] .ExploreZip, we'll see it in Asia fairly soon."
Other than the compressed file format and the slightly different name of ExploreZip.worm.pak, the virus operates in the same way as before, infecting a machine, deleting files, and automatically sending infected responses to other users. It, too, affects systems running Microsoft Outlook, Outlook Express, and Exchange Both versions send an automatic message with the text: "I received your email and I will send you a reply ASAP. Till then, take a look at the attached zipped docs." However, the attachment actually contains an executable file that infects the system, rather than documents.
Users need to update their security application DAT files to protect their systems against this MiniZip version of ExploreZip, according to Trend Micro's Schrader, adding that users' recent experience with ExploreZip may actually stem the speed with which MiniZip spreads.
"There is nothing subtle about this virus - anti-virus products can detect this [but] you just have to have the [DAT file] update," said Schrader. "People are far more aggressively updating their pattern files, so that may stem the tide of this."
Nevertheless, with damage from the original version of the worm estimated in the hundreds of millions, and with the ease of the worm's spread, it's not to be taken lightly, Schrader added.
"The first time around this virus caused more damage than all non-virus security attacks combined," Schrader said. "We don't know how much damage it's going to do this time."