Destructive email worm causes chaos on computers

 

Irish Government departments and financial and corporate institutions have been seriously hit by a malicious computer "worm". Microsoft and Intel are believed to have been particularly affected by the "ExploreZip" worm, which is capable of deleting documents irretrievably. It has already hit hundreds of corporate networks and personal computers worldwide.

A number of Microsoft business associates in Ireland believe they contracted the infection after opening emails thought to be from Microsoft employees, which were automatically transmitted by the virus. A spokesperson for Microsoft told The Irish Times the virus had hit both the European operations centre and the worldwide product group centre in Sandyford. "It has had some effect, but we have now taken precautionary measures and shut down a few servers to minimise the impact."

He said he was confident Microsoft employees had back-up files to replace the ones which had been deleted by the ExploreZip worm.

An Post said 15 of its personal computers had been infected and a large amount of "non-essential" material had been lost. A spokesman said its email system had been down since midday yesterday and a team of IT staff would be working through the weekend to clear the problem.

AIB and PricewaterhouseCoopers are believed to have been affected also.

Irish software security companies said they had been inundated with calls since the infection started to strike on Thursday, and by yesterday a number of corporate networks had shut down in order to clear their systems completely. According to Mr Dermot Williams, managing director of Systemhouse Technology: "The costs to business could be huge by comparison with usual viruses, which incur technical overtime and PC downtime costs. This is different because all documents can be lost and just one document might cost £100 to replace."

The ExploreZip worm can erase all the files from a person's computer, which makes it considerably more dangerous than the recent Melissa virus. When Melissa surfaced in March, it was remarkable for its ability to spread quickly. However, it did not destroy data.

The worm arrives to a computer user as an email attachment, usually from someone known to the user and with whom they have had recent email contact. This is because the worm spreads by sending automatic replies to e-mails sitting in the user's email in-box.

The message arrives as a personalised message with the text: "Hi (recipient's name). I have received your e-mail and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. Bye."

Once "unzipped" by the recipient, the virus will browse through their Microsoft Outlook email program and send messages to in-box addresses, making it seem like they are coming from the infected computer's user.

The virus will then erase all documents on the computer hard drive written with such popular Microsoft software programs as Word, PowerPoint and Excel.

If the recipient of the virus is using an email system other than Microsoft Outlook, ExploreZip will not spread further, though it will still damage the infected computer's files.

The worm is particularly divisive because it usually arrives from someone known to the recipient. Immediately their guard is dropped. Although ExploreZip is an executable program, it carries a winzip icon, which recipients are more inclined to open without a second thought.

Reports suggest the worm may have originated in Israel and might have made its first appearance last Sunday. The FBI is currently investigating the worm as a possible crime. "As was the case with Melissa, the transmission of a virus can be a criminal matter, and the FBI is investigating," Mr Michael Vatis, director of the National Infrastructure Protection Center (NPIC), said in a statement on Thursday night. A computer "worm" is so called because it does not replicate itself in the same way viruses do. It relies on computer users to activate its replication. Computer viruses are written with the capability to reproduce through automation. Microsoft has instructed customers receiving the ExploreZip message to "delete it immediately without opening the attachment and then empty the deleted items folder".

On Thursday US media reported that Microsoft cut off its corporate email connection with the Internet for two hours to prevent being infected.

According to Mr Alec Florence, managing director of Priority Data Systems: "We can expect more versions of this virus to come. The best advice is to never click on an attachment unless the recipient knows what's in it. If necessary delete it, and ring the sender to verify its authenticity."