Novell is now a part of Micro Focus

Using ZENworks to fight the ExploreZip.worm

Novell Cool Solutions: Trench

Digg This - Slashdot This

Posted: 17 Jun 1999

In case you've been in a cave somewhere, or heavily sedated, you should know that the Explorezip.worm was unleashed on the world around June 9th by some disgruntled alleged Israeli. This beast is particularly nasty, because it is spread via e-mail (MS Outlook, MS Outlook Express, and MS Exchange), and it looks like a message from someone you know and trust. It slithers along your local drive and destroys files created by popular Microsoft programs (.c, .cpp, .h, .asm, .doc, .xls, or .ppt). How it works is, it opens each file so it can be written to, then immediately closes it. This leaves the file at a zero-byte count. And all those zero-byte files, that used to be your legal briefs, payroll spreadsheets, marketing presentations, and whatnot, are absolutely unrecoverable. Poof. You're wormfood. (And 30 minutes later, it does it again, just when you were starting to rebuild your life.)

The sickest part is that it locates system drives, both mapped and unmapped, and infects whole systems in mere minutes. For more info on the worm, and to download a worm-removal tool, visit the AVERT labs site.

Since ZENworks is a very effective tool in combatting such infections, we placed an Open Call in the Community for people to share their combat experiences. We'll post 'em here every time we get one, so check back often.

Battling the Worm

Mark B. wrote:

  • Friday, June 11 -- 11:00 a.m. Panicked users called Help Desk to see if they should be worried about Explorezip.worm. Resisted the urge to tell them to shut their computers down, close and lock their doors, and pull the shades down, 'just to be safe.'
  • 11:30 a.m. - Sent out an e-mail to users detailing the issue and letting them know that update files would be ready by the afternoon.
  • 2:30 p.m. - More than half our tech staff was gone, but I still managed to get a ZEN application configured to update McAfee for 200 users.

So in the space of about 3 hours we had confirmed the threat was viable, notified our users, configured an application and readied it for distribution to 200 workstations. ZEN is my new best friend.

Dan S. wrote:

  • Got a message from our Microsoft rep Friday morning that worm had infected Microsoft and Intel. Researched it immediately (for a hoax) and prepared an e-mail warning.
  • 9:53am Friday - Reviewed e-mail contents with End-User Support, then mass mailed to all users.
  • Monday - Realizing the gravity of the worm, voicemail was sent out. NAI's "Extra.Dat" distributed via NAL as the normal mechanism for all McAfee updates.
  • Monday PM - One site reports being hit by virus, user ignoring e-mail warning and site not having distributed EXTRA.DAT.
  • One full day required to recover all missing files from tape.

Overall, we missed a bullet. I now have NAI's "AVERT" news site as my home page. Boy, the world needs a public-key infrastructure, S/MIME and signed executables!

Elio B. wrote:

I look after a group of four nimble and skilled support staff. We use many of Novell's products to provide service and support to about 225 very demanding clients. We also support about 22 NetWare servers across three geographic locations in Canada.

  • On arriving at the office on Friday morning at 8:30 a.m., I loaded my GroupWise and read a CERT advisory that I received about the Worm virus and its destructive payload.

  • I immediately had my senior engineer look for the latest Anti-Virus signatures for the Innoculan product, which we use to protect both our servers and workstations, while I sent out a warning message to all users by means of an e-mail and voice mail distribution.

  • By 10:00 a.m. all servers across Canada were being automatically updated with the latest signatures while my engineer worked on creating a NAL object to distribute the workstation protection.

  • By 12:00 noon the NAL object was being force run across all logged in workstations and they were being forced to reboot.

Yahoo for ZENworks!!

The interesting part of this story is that we beat out the larger organization's technology people hands down since their reaction was not until 4:45 p.m., and consisted of a phone call to each of the technology areas notifying them of the virus threat.

They advised that we tell our administrators to go to their web site and download the latest Anti-Virus program and ensure that it is installed to the users PC's asap.

(Yeah right! - No ZENworks, No way !!...)

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates