In the dark history of Internet beasties, the Melissa virus will be remembered for its sheer fertility-- its feverish procreation caused computers to grind to a halt. But Melissa never deliberately damaged anything.
The CIH virus, on the other hand, was designed for damage, utterly destroying the computers it touched. But it spread so slowly that it reached only a tiny segment of the online world.
Now we have a new virus, and it owes more to P. T. Barnum than to its nefarious predecessors.
This diabolical code, dubbed W32/ExploreZip.worm by those who name such things, was first spotted in Israel on Sunday, June 6. It is shamelessly malicious, seeking and destroying Microsoft Word documents and ravaging files involved in software development.
If the victim machine is on a local network, the program can even peddle its mayhem to shared drives on other systems. A couple weeks ago, ExploreZip hit the United States and descended like a swarm of locusts on corporate networks, including those of powerhouse companies Microsoft, Intel, and AT&T. By Friday, some Silicon Valley software makers were reportedly sending their workers home early, and antivirus vendors were estimating a cyber-death toll in the tens of thousands of systems worldwide.
All this evil comes wrapped in a friendly email message: Experts at CERT (the Computer Emergency Response Team) are calling the nasty code both a Trojan horse and a worm, because it initially requires a victim to open or run an email attachment for the program to install a copy of itself (the Trojan horse part). But once on a machine, it may also propagate itself, without human interaction, to other networked computers that have certain writable shares.
But ultimately, ExploreZip is impotent unless unless it's able to trick netizens-- battle-hardened by the Melissa debacle-- into opening the attachment.
The program accomplishes that with stunning success by exploiting security holes not in our computers, but those fundamental to human nature.
The virus's slash-and-burn tour of cyberspace is fueled by a series of lies, each delivered with a swindler's casual self-assurance. The attachment is not a zip file at all, it's an executable. And if the ".exe" at the end of the attachment filename alarms would-be victims, a more subtle deception puts them at ease: The "zipped docs" appear to come from a friend.
That's because ExploreZip doesn't just wipe out a victim's files. It cunningly lies in wait, watching over the inbox looking for incoming messages, then replies with its cheery greeting and grim attachment.
Everyone knows not to run programs they receive unexpectedly, or from untrusted sources. But when the program seems to come from a friend, family member, or colleague, and it's in a response to a previous message, and is supposedly a harmless zip file, only the most cynical user hesitates to open it.
In short, the code is a grifter-bot, running a con game and spreading by exploiting trusted human relationships.
ExploreZip is the first of what will probably be many viruses with some serious social engineering put into their design. Spammers (scarcely less evil creatures themselves) have already learned how to make their junk-mail resemble a friendly missive from a online buddy.
From now on, the most malicious code on the Internet will be spread by trickery and authored by vandals who know that a sucker is born every minute. Is there anything we can do? Let me know in the talkback below.
Kevin Poulsen is a columnist for ZDTV's CyberCrime
Hi (Recipient Name)!
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
Bye
