How the email worm works

The Worm.ExploreZip virus, while different in some ways from the Melissa virus, takes advantage of a similar vulnerability: The fact that so many people now routinely use email.

Stephen Shankland Former Principal Writer
Stephen Shankland worked at CNET from 1998 to 2024 and wrote about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise Processors | Semiconductors | Web browsers | Quantum computing | Supercomputers | AI | 3D printing | Drones | Computer science | Physics | Programming | Materials science | USB | UWB | Android | Digital photography | Science Credentials
  • Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
Stephen Shankland
3 min read
The Worm.ExploreZip virus, while different in some functional details from the Melissa virus that hit in March, takes advantage of a similar vulnerability: The fact that so many people now routinely use email.

The new virus emerged this week, spreading from user to user by taking advantage of automation features available to users of Microsoft email software on Windows machines.

How TROJ_EXPLORE.ZIP works Like Melissa, it requires some active participation of the victim: opening the malicious file, or "payload," attached to the email message. And again like Melissa, the malicious program then modifies the victim's computer system to send more copies of itself automatically by email. (See CNET Topic Center on antivirus software.)

To encourage a person to open the attachment, both malicious programs use the similar ploy: Trick the victim into thinking he or she has just received a useful document from a trusted source. Both programs can get away with this, because the infected email comes from a person likely to be known by the recipient.

But there the differences end. Where Melissa was relatively benign to users, Worm.ExploreZip deletes Microsoft Word, Excel, and Powerpoint document files, said Wes Wasson, head of security products marketing at Network Associates.

Where Melissa tapped into address books set up in Microsoft Outlook, Worm.ExploreZip's modus operandi is just to bounce back incoming email automatically with a response including the malicious program, Wasson said.

That means Worm.ExploreZip will spread more slowly, he said. "How fast it spreads correlates to how many emails you get," he said.

Melissa, on the other hand, sent itself to 50 entries in the address book, and those entries themselves could each be mailing lists.

Regardless of their propagation rate, both viruses depend on automated email features. Worm.ExploreZip basically uses a modified version of the same feature that allows a person on vacation to set up email software to automatically reply with an "try back later" message, Wasson said.

The advent of email as a distribution mechanism has allowed a new class of viruses, Wasson said. In the old days, viruses had to be smaller, but Worm.ExploreZip is comparatively huge at more than 200 kilobytes, he said.

"Now with email, I don't have to be slim like I was before," Wasson said. "Viruses and worms can be written in [the programming language] C. This is really cutting-edge science."

The increasing power of email viruses means that sophisticated hackers who once looked down on viruses now see them as powerful tools to obtain information stored on target computers, particularly because using email makes it easier to obscure the origin of the attack, he said.

"The hacker believes the virus is going to be more of a stealth approach," he said.

Selling security
Antivirus software sellers profit from virus scares. Sales of antivirus software jumped 67 percent in the week the Melissa virus hit, according to market research firm PC Data.

Network Associates' Wasson acknowledges the sales boost, but insists his company is out there to help people, pointing as evidence to the company's free, virus clinic detection services available over the Internet.

"Rather than hold [people] hostage and take advantage of an incident, we'll give it to them for free," he said.

Network Associates' competitor TrendMicro offers a similar service.

As more companies begin to become more wary of the risks posed by the Internet, Network Associates is offering more security consulting services. For example, the company hires itself out to find vulnerabilities in computer systems, Wasson said.

"Customers come to us all the time, saying check my security out, bang on my firewall," he said, referring to the protective software designed to keep computer networks safe from unauthorized access.

In addition, the company is offering new software next month called CyberCop Sting that not only sets off alarms when there's a burglar, but also lets companies set up decoy systems to lure intruders and record information about them, Wasson said. The strategy is similar to the technique described by author Clifford Stoll in his book, The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage.