June 10, 1999 8:10 PM PDT

Data virus forces email shutdowns

Corporations are scrambling to cope with a new data-destroying virus that is forcing the shutdown of email systems nationwide.

The virus, first reported to the Symantec Antivirus Research Center on Sunday by five companies in Israel, is called Worm.ExploreZip or Troj_Explore.Zip. The worm uses Mail Application Programming Interface (MAPI) commands and Microsoft Outlook on Windows systems to propagate itself, Symantec said.

In some ways, the virus is the sequel to the Melissa virus, which spread with unprecedented speed in March. Worm.ExploreZip spreads from computer to computer by taking advantage of automation features available to people using Microsoft email software on Windows machines.

Although the new virus doesn't spread as fast as Melissa, it causes more damage, according to antivirus experts, deleting Microsoft Word, Excel, and Powerpoint document files, among others. (See CNET Topic Center on antivirus software.)

How TROJ_EXPLORE.ZIP works Several firms have shut down their email systems entirely while IS staff root out the virus, according to Symantec.

Boeing was hit particularly hard. The Seattle-based aerospace giant shut down its email system, which is used by at least 150,000 employees, at 2:30 p.m. today, a company spokesman said. The company was still assessing the damage caused by the virus, but the spokesman, who asked not to be named, said he knew of at least one employee whose entire hard drive was wiped out.

"As soon as we became aware of it, we told everyone, and we put a message up on our internal Web site," he said. Late in the day the email still had not been restored. The company hopes to have it back up by tomorrow.

PricewaterhouseCoopers took down its entire email system, used by 45,000 U.S. employees, also at 2:30 p.m. in response to the virus. The company was just bringing up parts of the system at 7 p.m., a company spokesman said, but he didn't know how much damage had been done or how many workers had been affected.

Some companies said they disarmed the virus--actually a software "worm"--before it could cause many problems. Microsoft, for example, disconnected its email servers from the Internet at about 9 a.m. so that programmers could work on an antidote, company spokesman Dan Leach said. The servers were up and running two hours later, he added.

Employees of antivirus software maker Symantec report that they have received email that includes the worm, which arrives as an attachment to the missives. Companies such as General Electric and Southern Company have had files deleted by the virus, according to Bloomberg.

Virus protection firm Trend Micro spokeswoman Susan Orbuch said earlier today that the company had received 107 calls from customers concerning the virus. Thirteen of those calls came from those already infected, she said.

Orbuch said that Trend Micro knew of five large companies that had been infected, as well as several public relations firms and a magazine. She declined to name the companies.

Nate Meyer, spokesman for Credit Suisse First Boston, said the virus had struck the company's offices in New York, San Francisco, and Palo Alto, California, and that other offices worldwide may have been affected. He said he did not know how many of the company's computers were infected.

Meyer said the Credit Suisse's technology department had been working on the problem for much of the day and had sent out a warning about it this morning. But he said the virus did not seem to have slowed the company's operations, adding that it had not disrupted the investment company's stock trading. Meyer noted that his own email had been working throughout the day.

Quick repairs
Representatives at AT&T and Intel reported that they were able to quickly repair their systems after being hit by the virus.

"These are things that we have to do because of the communications reality that we live in today," an AT&T spokeswoman said.

The virus disrupted work at Cambridge, Massachusetts-based industry analyst firm Forrester Research, where Internet access, including email, was cut off. Another analyst firm, Current Analysis, sent email to customers warning them not open any email attachments coming from the firm with the .exe extension because an employee's PC had been infected.

The infected email may contain the message: "Hi [recipient name]! I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. bye."

Unlike the Melissa virus, which harvested from a user's address book, the new virus raids an email in-box when executed through Microsoft Exchange or Outlook. The worm attaches itself as a file called zip_files.exe and is sent off with a return email. Although the virus isn't expected to spread as quickly and to as many computers as Melissa did, it does destroy files.

"It's an .exe file posing as a Zip file," said Eric Chien, senior researcher at the Symantec Antivirus Research Center. The worm is particularly insidious because it searches through hard drives and destroys files with extensions of .doc, .xls, .ppt, .c, .cpp, .h, or .asm, he said.

Chien said that means whoever wrote the virus was targeting corporations--seeking to destroy developers' source code, as well as documents created using Microsoft Office applications, such as Word and Excel.

"It singles out those files and destroys them," he said. "This hits the local drive and the file server."

Extent of damage not known
Chien said it is unclear how much damage the virus has done. "We've received multiple reports from major corporations in the U.S.," he said. "What we're hoping is that the initial jump on this Sunday night will prevent it from spreading."

Panda Software said it has added free downloads for the detection and disinfection of the virus--which it called "extremely dangerous"--on its Web site. The company also urged people to update antivirus software.

Esther Shin, a public relations specialist at Aventail, a Seattle-based business-to-business e-commerce firm, said two of her colleagues encountered the virus this morning. One of them lost all the files on his hard drive after he opened the attachment, she added.

The email was worded to make the recipient believe that the message came from a Microsoft employee, she said. Shin said she got a similar email but didn't open the attachment.

"When I got hit I called all my contacts," she said.

Bloomberg and News.com's Troy Wolverton, Dan Goodin, and Tim Clark contributed to this report.

 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.