Q : Is MyCERT aware of the EXPLORE.ZIP worm?

Yes, EXPLORE.ZIP is a new worm. This worm we believe was first discovered in Israel on June 6, 1999. MyCERT has received only one complaint as of 6pm MYT on June 15, 1999. CERT Coordinating Center of US have received many complaints in their constituency on the propogation of the worm starting the second week of June.

Q: What steps have MyCERT taken to alert the users?

MyCERT has sent out an alert on Friday, June 11, 1999, to MyCERT mailing list, and have made the advisory available on MyCERT webpage.

Q: What systems are effected?

Systems that are effected are:

• machines running windows 95, 98 or NT.
• machines with file systems that are shared with read and writable access, which are exposed to infected systems.
• any mail handling system. These systems could experience performance degradation or a denial of service as a result of the propagation of this worm program.

EXPLORER.ZIP is a malicious code which propagates itself via email and writable shared file/folder. A few things that the program will do:

• It will constantly monitor your mailbox for new mails and send itself to the sender of the mails received.
• The program will scan all hardrives and sharable disks from C to Z, and reset all contents of files with extensions .h, .c, .cpp, .asm, .doc, .ppt or .xls on your hardisks to null. In short, it will destroy your files.

Q: How severe is the effect?

The effect is similar to the effect of Melissa worm and CIH virus combined. (Please refer to http://www.mycert.mimos.my/advisories.html for Advisories on Melissa worm and CIH virus). However MyCERT discovered that the propagation is more rapid in a file sharing environment based on Windows 95 and 98 platforms.

Q: How many reports have MyCERT received?

We have not received any official reports however, we anticipate this will cause a major "outbreak". We encourage users who experience the symptoms of the worm, to follow the steps provided at MyCERT website, http://www.mycert.mimos.my to detect and remove the program from their PC. We encourage users to report to , their network administrators or ISPs on the discovery of the worm.

Q: How do we recover an infected PC?

Currently many anti-virus vendors are working on ways to recover the lost data. We advice users to monitor the MyCERT website and other vendor websites for updates.

Q: What is MyCERT advice in handling this problem?

We advice all IT departments in all organisations and all network users to refer to our documentation on how to control the spread of the worm. After removing traces of the worm, the worm can "re-infect" if proper policy and tools are not in place.

"Always ensure you have your antivirus software running, scan every file that is to be stored or executed on your PCs. You should not depend on periodic alerts to update your lists. There are hundreds of viruses a week and thousands of virus in month. Thus the update must be done regularly."