June 15, 1999 4:20 PM PDT
Virus hit fewer machines, did more damage
"To those who were hit, files were destroyed, it spread through many computers on a network, and a lot of time was spent addressing the problem and trying to recover files," said Mark Zajicek of the Computer Emergency Response Team based at Carnegie Mellon University.
CERT, which tracks hacker attacks and other security incidents on the Internet, has had at least 40 confirmed reports of infections by the Worm.ExploreZip virus since it was detected last week.
Joe Wells, who runs the Wildlist organization that publishes a list of viruses that spread "in the wild," meaning outside of a computer lab, agreed with the CERT assessment.
"It is not as widespread and it didn't spread as quickly as Melissa, but it's a lot worse," said Wells, referring to the Melissa virus that was spread, like Worm.ExploreZip, via email earlier this year. Still, he said, Worm.ExploreZip spread faster than any other virus except Melissa, boosted by the increasing use of email, both by individuals and companies.
Worm.ExploreZip is considered worse than Melissa because the latest worm destroys data on a user's machine. Though Melissa triggered a flood of outgoing email that potentially overwhelming email servers, it didn't destroy data.
Although several people have posted software utilities to recover lost data, Dan Shrader of antivirus firm Trend Micro, said his firm has tested three that he said do not work. To retrieve old files, most companies are resorting to back-up tapes, Wells said.
Experts have found one aspect of the Worm.ExploreZip infection is worse than originally expected. Instead of spreading solely by email, it can in some cases move over the local area networks (LANs) common in many offices. That occurs if an infected machine has access to data on another machine's hard drive using a "share" function.
"The ability to travel across LANs meant that if one person got it, it probably hit two or three other computers," said Roger Thompson, technical director of malicious code research at computer security trade group ICSA. "That probably hurt any organization that was hit and caused quite a bit of pain."
Thompson worries that the pace and seriousness of virus attacks is escalating rapidly. He cites three major new viruses since January--Worm.ExploreZip, Melissa, and Happy99--and a fourth virus, CIH or Chernobyl, that has existed for about a year but inflicted real damage this spring, particularly in Asia.
"The bad guys have caught on that they can do blitzkrieg efforts," said Thompson. "It's a fearsome specter, a virus that can spread as quickly as Melissa with a nasty payload like Worm.ExploreZip."