Using ZENworks to fight the ExploreZip.worm
Novell Cool Solutions: Trench
Digg This -
Posted: 17 Jun 1999
In case you've been in a cave somewhere, or heavily sedated, you should know that the Explorezip.worm was unleashed on the world around June 9th by some disgruntled alleged Israeli. This beast is particularly nasty, because it is spread via e-mail (MS Outlook, MS Outlook Express, and MS Exchange), and it looks like a message from someone you know and trust. It slithers along your local drive and destroys files created by popular Microsoft programs (.c, .cpp, .h, .asm, .doc, .xls, or .ppt). How it works is, it opens each file so it can be written to, then immediately closes it. This leaves the file at a zero-byte count. And all those zero-byte files, that used to be your legal briefs, payroll spreadsheets, marketing presentations, and whatnot, are absolutely unrecoverable. Poof. You're wormfood. (And 30 minutes later, it does it again, just when you were starting to rebuild your life.)
The sickest part is that it locates system drives, both mapped and unmapped, and infects whole systems in mere minutes. For more info on the worm, and to download a worm-removal tool, visit the AVERT labs site.
Since ZENworks is a very effective tool in combatting such infections, we placed an Open Call in the Community for people to share their combat experiences. We'll post 'em here every time we get one, so check back often.Battling the Worm
Mark B. wrote:
So in the space of about 3 hours we had confirmed the threat was viable, notified our users, configured an application and readied it for distribution to 200 workstations. ZEN is my new best friend.
Dan S. wrote:
Overall, we missed a bullet. I now have NAI's "AVERT" news site as my home page. Boy, the world needs a public-key infrastructure, S/MIME and signed executables!
Elio B. wrote:
I look after a group of four nimble and skilled support staff. We use many of Novell's products to provide service and support to about 225 very demanding clients. We also support about 22 NetWare servers across three geographic locations in Canada.
- On arriving at the office on Friday morning at 8:30 a.m., I loaded my GroupWise and read a CERT advisory that I received about the Worm virus and its destructive payload.
- I immediately had my senior engineer look for the latest Anti-Virus signatures for the Innoculan product, which we use to protect both our servers and workstations, while I sent out a warning message to all users by means of an e-mail and voice mail distribution.
- By 10:00 a.m. all servers across Canada were being automatically updated with the latest signatures while my engineer worked on creating a NAL object to distribute the workstation protection.
- By 12:00 noon the NAL object was being force run across all logged in workstations and they were being forced to reboot.
Yahoo for ZENworks!!
The interesting part of this story is that we beat out the larger organization's technology people hands down since their reaction was not until 4:45 p.m., and consisted of a phone call to each of the technology areas notifying them of the virus threat.
They advised that we tell our administrators to go to their web site and download the latest Anti-Virus program and ensure that it is installed to the users PC's asap.
(Yeah right! - No ZENworks, No way !!...)
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com