W32/ExploreZipB (aka
ExploreZip.worm.pak or MiniZip) is basically a compressed version
of the original ExploreZip worm. For further information on this
worm and how to detect it please click here.
Because W32/ExploreZipB was compressed with a format that
anti-virus products do not scan inside, it initially evaded
detection. However, its "interface" with the user is the same as
the original virus. It spreads the same way (via email), expresses
itself identically (in the text in the emails it sends), uses the
same confidence trick (trying to persuade you that the included
attachment is important, trustworthy and therefore safe to open),
and delivers the same warhead (wiping files including DOC (Word
documents), XLS (Excel spreadsheets) and PPT (PowerPoint
presentations)).
With this in mind, some people might regard it as surprising
that users with knowledge of the original ExploreZip, and its
method of spreading, would fall for ExploreZipB. All the
cultural pointers which screamed "you shouldn't trust me"
about ExploreZip are not only present but identical for this
repackaged flavour of the virus. It seems that sometimes the oldest
con tricks are amongst the most successful.
So perhaps we should be treating the ExploreZipB incident not so
much as just another virus alert, but as a salutary reminder that
there are some simple behaviour modifications (enforceable via
technology) that organisations can make to reduce their risk from
digital confidence tricks of many forms, including viruses.
For example, in most organisations, very few - if any - users
really need to be able to email programs (such as .EXE files) to
one another. Often, only a few trusted staff in the IT department
will ever have a business need to send out or receive EXEs. Sure,
users may feel they "need" to exchange games, screensavers,
greetings cards, pornographic animations and so-called "joke"
programs. However, they usually stand to gain very little, compared
to what they might lose (including data availability, data
integrity, confidentiality, security, overall confidence and
personal or company reputation).
So why not tell your users that they are not allowed to send or
receive programs, unless duly authorised? Technology (including
anti-virus software and firewall/gateway systems) can help enforce
this rule - but the rule has to exist as a corporate cultural
reality in order to be truly enforceable.
If you think you might have difficulty persuading your
corporation to buy into this, why not use the argument that it will
make your employer stand out as a glowing example of digital
responsibility? If they are still unconvinced, then you might try
pointing out that this policy might actually act as an insurance
for them against the threat of personal or corporate litigation: it
mitigates the risk that they might send something inappropriate or
dangerous outside the company by mistake.
Anti-virus software is important, and should be kept up to date
to deal with the latest threats. However, companies can further
reduce their chances of virus infection by implementing safe
computing policies.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.