Search is on for author of new email virus

The search is on for whoever has been wreaking havoc around the world over the last few days by introducing the Winexplorezip email virus.

The virus is not just an irritant. It is causing extensive damage because, if executed, it wipes out files on a computer's hard drive.

But one expert believes it will be harder to track down the perpetrator than it was to find the author of the Melissa virus earlier this year. Richard Smith, Pharlap Software's president, discovered the name of Melissa's alleged author, David L. Smith (no relation), embedded in the code, but he knew where to look for it because virus writers like to autograph their work. Smith is now awaiting trial and has pleaded not guilty.

But Smith said there was no such clue in the much more malicious Winexplorezip virus, although the fact that it is written in Delphi has sent the FBI, among others, scurrying to online forums that discuss the computer language.

Winexplorezip was first discovered in Israel, but has spread throughout the world since then, attacking email users who have Microsoft software installed. Many major businesses, including Microsoft itself, have been affected.

When users send an email to an infected desktop, they receive a response supposedly from the person emailed with the subject line of the email unaltered, which makes it difficult to recognize as bogus. The response has been automatically generated, however, and contains the virus.

The message says: "Hi (Name)! I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. Bye."

The "docs" contains a zip file named zipped_files.exe, which, if activated, will show a fake error message to the user.

An executable file will then alter the Win.ini file that instructs the client to run an Explore.exe file, which is delivered by the virus. The worm searches drives C: through Z: of a computer and selects a series of files based on file extensions (including .h, .c, .cpp, .asm, .doc, .xls, .ppt) and makes them zero bytes long -- in essence destroying all of the data.

Eric Chien, a researcher at Symantec's Antivirus Research Center, said: "It's an .exe file posing as a Zip file," but, because of the extensions, whoever wrote the virus was intent on attacking developers' source code as well as documents created using Microsoft Office.

Symantec, Network Associates and other antivirus companies posted fixes for affected users on their Web sites on Friday.

to comment on this story, email newswire@vnu.co.uk