Novell is now a part of Micro Focus

Stop the Worm

Novell Cool Solutions: Tip
By Tay Kratzer

Digg This - Slashdot This

Posted: 11 Jun 1999

This tip comes straight from the fertile mind of Tay Kratzer, Premium Support engineer extraordinaire. There's another virus on the rampage. It's called the "Worm.ExploreZip" virus. This virus will probably not propagate itself as quickly as the "Melissa" virus. However, when a PC is struck with the virus, it will be more devastating then Melissa. You can visit the Symantec site for some good information about finding the keywords to help in identifying the virus. Oh, and Information Week has another, less technical document that explains the impact this virus has had so far.

A Little Virus Q&A

Question: Is GroupWise at risk with this virus?

Answer: Yes, our customers are as vulnerable to this e-mail attachment virus as any other, though it's not GroupWise itself that's the problem . . . Like most e-mail products, GroupWise will launch (Open) executable attachments like the zipped_files.exe attachment that carry these viruses. Unless there's a scanner installed on the machine that recognizes the virus and can catch the virus, it's free to do its dirty work. In this case, the virus uses Windows Messaging to replicate itself, so a GroupWise system (or an Exchange/Outlook system) which uses MAPI, can support propagation.

Question: What can I do to try and stop this virus?

Answer: With any E-mail virus there's a combination of approaches that's rather effective. Generally it's a good idea to combine as many of the approaches as possible. Both of the steps outlined here require prior planning.

Stopping The E-Mail Virus At The SMTP Entry And Exit Point
The GroupWise 5.x GWIA has a great feature that allows you to tell the GWIA to drop off incoming and outgoing E-mail to a third-party queue. With this capability you can implement software written by virus protection software vendors who specialize in catching viruses. For a well written document on how to configure the GWIA for such a solution see TID number 2932997.

Implementing a Virus Scanning Utility at the Workstation
There are companies such as Network Associates, Symantec, and others that do a fine job of quickly releasing updates to allow their virus scanning software to help contain viruses. The key to utilizing their software is

  1. Have their software implemented at every desktop
  2. Create a solution for immediately distributing the updates from your virus scanning software vendor
You make the choice as to what virus scanning software to buy. As for distribution of your virus software in a timely and simple manner, check out Novell's Directory Enabled Application called ZENworks. Half of the customers that I personally support as a Novell Primary Support Engineer are using ZENworks, and they love it. Go to the ZENworks Cool Solutions community to see an example of how one customer implemented a new virus definition file for their virus software with the use of ZENworks.

Question: In the Melissa virus document at Novell's Support Connection site, there's mention of an "itempurg" feature with GWCHECK. Could I use this solution to weed out ExploreZip if I think my post office has been affected?

Answer: The "itempurg" feature of GWCHECK will most likely not help. This feature of GWCHECK keys off of the subject line of an E-mail. The ExploreZip virus does not use a consistent subject line as did the Melissa virus.

Further Musings
The ExploreZip virus brings to light one more value-add with GroupWise. After reading Symantec's document on how ExploreZip deletes documents, you'll understand how placing documents natively on a file system makes those files vulnerable. We often tout the additional "security" of document management. GroupWise Document Management contains documents in an encrypted store area, to be accessed only via a Client/Server connection to a GroupWise Post Office Agent. This means that customers who use GroupWise Document Management as their document filing system, rather then saving files to a disk, have far less to worry about in regards to the ExploreZip virus.

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates