Last week the world was hit by a new and especially malicious computer virus called Worm.ExploreZip. If you read about this virus in your local paper or the New York Times, you don't know the half of it. If you read about it in Computerworld or on C-Net, there's still plenty that hasn't been told. Please don't stop reading now, because there is information in this column you won't find in those places. Worm.ExploreZip is both a world of heartache for those who have had to fight it and an indicator of even worse things to come.

The virus was first discovered around June 6th and started making major trouble by June 10th. That's when Microsoft first sent a warning to their top-tier customers at 7:27 a.m. Pacific Daylight Time. That's a very odd time for Microsoft to send an alert. Sure, the nerds are just heading for bed about then, but it's not nerds who send out alerts. Alerts are sent by supervisors who start work at 8 or 9 and those alerts have to be approved by honchos who come to work at 9 or 10. So what motivated the Microsoft supervisors and THEIR supervisors to issue an alert at 7:27 a.m.? They'd been up for hours already, fighting the virus' attack on Microsoft, itself. That night, at least for awhile, hundreds of thousands of Microsoft files were lost.

Now THERE'S a novel excuse to give the Department of Justice when next the Feds come trawling for evidence.

Here's how the virus works. Worm.ExploreZip arrives as an electronic mail message with an attached file. In this way — and only this way — it is like the Melissa virus that got so much attention a few months ago. Once the first user opens that attached file, all hell breaks loose.

The virus takes advantage of Microsoft's own Mail Application (MAPI) to do its damage. Using MAPI it, targets for destruction Microsoft Office files. It installs itself in your computer, then e-mails copies of the original message and attachment to all your friends, then trashes every document file (.xls, .ppt, .doc, .cpp, .asm, etc) it can find on your local hard disk and on the network. But Worm.ExploreZip doesn't actually delete the targeted files. Instead it rests the file length to zero so the name remains but there is nothing behind it.

While resetting the file length to zero might show which files are affected, it isn't much help since you can pretty much count on all files being affected. Resetting the length actually makes the files much harder to restore from a backup because the shortened files must first be identified and deleted before they can be restored.

While Worm.ExploreZip kills that novel you'd been writing on business trips for the last five years, it does almost nothing to Windows, itself. All it does to the operating system is install two small programs and set the registry to run them when you boot up. So the virus runs anew each time you turn on your PC.

On a server the virus is even more insidious. It shortens to zero any files to which you are allowed write access. And if "you" happens to mean a superuser or sysadmin in a hurry, the damage can be severe. But because the files aren't actually deleted, most server-based anti-virus programs can't even detect that a virus is present. So the only way to really protect data is to secure the server, either by making all files read-only or by taking the server completely offline. This is what many companies did.

Some outfits had to shutdown their NT domains, since NT (through MAPI) was particularly vulnerable. This meant, though, that NT's own mechanism for distributing anti-virus software was unavailable.

Smart administrators shut down completely then cleared their post offices of the (now known) virus-carrying message. Half a day to panic, a day to scrub the post office, then a day or two of file recovery and testing and they were back in business ... until the next infection.

How could there be another infection of a professionally-managed network once the virus was known? Here comes the really bad news. As a network or system administrator, you can clean your systems and update your virus signatures, you can set your firewall to block personal SMTP and POP3 service to the Internet. You can have your firewall and mail gateway servers ever vigilant for that awful zip_files.exe file attachment. But it still won't help.

All it takes to reinfect is for one user to check his or her Hotmail, Rocketmail, Yahoomail, Excitemail, Yourmail, Mymail, webmail and download the virus-attached message all over again. That's because these Web mail services don't use SMTP or POP3, and they don't go through a mail gateway. Their traffic looks like Web surfing and so slips right through the firewall.

This virus will be beaten, of course, but what it portends for the future is ominous. We'll see more viruses leveraging APIs and finding more ways to enter our networks. Tell me we won't see a similarly-designed virus timed with Y2K. Tell me we won't see a dozen such viruses.

The problem here is two-fold. Forget for a moment the part about the people who actually write these viruses, for they are just criminals. How do we protect ourselves? What we can do something about are the underlying systems. Why is Windows so open that it can be manipulated like this? It doesn't have to be that way. Is Unix or Linux or any other operating system that much better or more secure? No. They all tend to ignore security and safety, throwing any obligation on poor stupid users or on nobody at all. There is no excuse for this.

There is no excuse, either, for e-mail providers not using automatic virus detection on all traffic. This capability exists, yet it is almost never used. If a free e-mail service allows you to infect a network and kill a million files, who is liable? I think the e-mail service is liable.

It is up to us as usual, we poor, stupid users, to make a change, and we can only force that change through economic pressure. We have to hold Microsoft's feet to the fire, but not only Microsoft's. We have to switch our business to free e-mail services that automatically scan for viruses all messages and attachments. We can complain and maybe it will do some good. Maybe not. Or, I suppose, we can count on the FBI to catch all the bad guys and put them in jail.

I'd rather call in the Power Rangers.