Security Software Slowing Spread of Latest E-Mail Computer Virus

A new computer virus that mimics one that caused severe damage in June is spreading less rapidly than its predecessor, officials at security software companies said.

This time, more companies have foiled the virus because they have been active in updating their antivirus software, experts said. The virus, known as a “worm,” behaves the same way as the Worm.ExploreZip virus that infected computers worldwide four months ago.

The virus first appeared Nov. 24, started spreading in the U.S. on Tuesday and by Wednesday had been spotted around the world. It erases random files written using Microsoft Corp. software and spreads by sending itself via e-mail and multiplying on computer networks.

“We’ve seen a bit of a slowdown today,” Vincent Gullotto, an antivirus specialist with Network Associates Inc., said Wednesday. “We’re still seeing reports, but it’s not like the multiples are coming in like they were yesterday when we had eight or 10 customers that were hit pretty badly within a few hours.”

Many companies based on the East Coast were able to update their security software late Tuesday night or early Wednesday morning before the start of business, Gullotto said. Network Associates’ Web page with information about the virus had received 100,000 hits on Wednesday compared with 10,000 on Tuesday.

“It’s the second virus of this type, so people have seen it before,” said Susan Orbuch, a spokeswoman with security software company Trend Micro Inc. “In general, people are also more educated about viruses overall, so they are able to respond more quickly.”

The current virus, dubbed “WormExplore.Zip (Pack)” or “MiniZip,” was able to escape detection because it was compressed using a format called NeoLite, which antivirus software until recently was not programmed to filter. There are multiple compression formats and new ones can be written in less than an hour, so antivirus software can’t block them all, said Eric Chien, the chief antivirus researcher for Symantec Corp. in Europe.

On an infected computer, the MiniZip reads the addresses of new and unread e-mail and automatically sends itself as a response, changing the subject line from, for example, “Work Meeting” to “Re: Work Meeting.”

The body of the message reads: “Hi [recipient’s name]! I received your e-mail and I shall send you an e-mail ASAP. Till then, take a look at the attached zipped docs. bye.”

Opening it leads to the destruction of various files on a computer, which are then replaced with empty files.

“I have to say that this is a particularly insidious virus,” said Carey Nachenberg, chief researcher at Symantec’s anti-virus research center in Cupertino, Calif. “This is both a very fast spreading computer virus and also very damaging.”

Several high-profile viruses have infected computers worldwide in the last year, including the Melissa virus, one known as Chernobyl and the original WormExplore.Zip.

The original author of Worm.ExploreZip has evaded identification despite a search by the FBI. It’s unclear whether the same person transmitted the current virus, experts said.

Companies whose systems are infected by the new virus can expect to spend up to several days cleaning their systems because it can spread within computer networks, Chien said. “If you have a single infection in your company, that single infection can infect every single computer on your network,” Chien said. “Corporations are much more prepared now, but still we have some large Fortune 500 companies getting hit. I wouldn’t underestimate this virus.”

Disney’s Go.com and Banc of America Securities were among dozens of firms hit by the virus.

“A handful of computers were affected before we caught it,” Go.com spokeswoman Shelly Greenhalgh said. “It could have been much worse.”

The MiniZip also was discovered Tuesday at Banc of America but did no permanent damage because files are copied on backup systems.

At public relations firm BSMG Worldwide, employees in most offices have been unable to use their computers since Tuesday. Technicians are working to neutralize the virus, which arrived at the San Francisco office in an e-mail from a client.

“Our entire worldwide network has been knocked out with the exception of London. I can’t even turn on the computer to do word processing,” said Steve Morrison, a publicist with the San Francisco office of BSMG’s Financial Relations Board unit. “We’re trying to work around it. It’s a reminder of what our lives were like in the not-too-distant past.”

*

Bloomberg News and Associated Press were used in compiling this report.