Mailinglist Archives:
Infrared
Panorama
Photo-3D
Tech-3D
Sell-3D
MF3D

Notice
This mailinglist archive is frozen since May 2001, i.e. it will stay online but will not be updated.
<-- Date Index --> <-- Thread Index --> [Author Index]

VIRUS WARNING / Worm.ExploreZip

  • From: Willem-Jan Markerink <w.j.markerink@xxxxx>
  • Subject: VIRUS WARNING / Worm.ExploreZip
  • Date: Sat, 12 Jun 1999 12:09:17 +0100
Be warned:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Listers,
I'm still on a leave of absence but I wanted to pass this along.  I have
verified that this is a real virus threat and not a hoax.  I have copied
the following info from the Norton Anti Virus web site.  It is verbatim but the
formatting has been stripped so it may have odd sections.  Please take a moment
to read this and take any appropriate actions.

Gary
======================

Virus Name:	Worm.ExploreZip
Aliases:	W32.ExploreZip Worm
Infection Length:	210,432 bytes
Area of Infection:	Windows System directory, Email Attachments
Likelihood:	Common
Detected as of:	June 6, 1999
Characteristics:	Worm, Trojan Horse

[]
Overview: 
Worm.ExploreZip contains a very malicious payload. Worm.ExploreZip utilizes
Microsoft Outlook, Outlook Express, and Microsoft Exchange to mail itself out by
replying to unread messages in your Inbox. The payload of the worm will destroy
any file with the extension .h, .c, .cpp, .asm, .doc, .ppt, or .xls on your hard
drive(s), as well as any mapped drives, each time it is executed. The worm will
also search the mapped drives for Windows installations and copy itself to the
Windows directory, and then modify the WIN.INI file. This will infect systems
without e-mail clients. This continues to occur until the worm is removed. You
may receive this worm as a file attachment named "zipped_files.exe". When run,
this executable will copy itself to your Windows System directory with the
filename "Explore.exe", or your Windows directory with the filename
"_setup.exe". The worm modifies your WIN.INI or registry such that the
"Explore.exe" or "_setup.exe" file is executed each time you start Windows.
Worm.ExploreZip was first discovered in Israel and submitted to the Symantec
AntiVirus Research Center on June 6, 1999. 

[]
Technical Description: 
Worm.ExploreZip utilizes MAPI commands and Microsoft Outlook/Outlook
Express/Microsoft Exchange on Windows 9x and NT systems to propagate itself. The
worm e-mails itself out as an attachment with the filename "zipped_files.exe" in
reply to unread messages it finds in your Inbox. Thus, the e-mail message may
appear to come from a known e-mail correspondent in response to a previously
sent e-mail. The e-mail contains the following text: Hi Recipient Name!

I received your email and I shall send you a reply ASAP.

Till then, take a look at the attached zipped docs.

bye or sincerely Recipient Name 
Once the attachment is executed, it may display the following window:
[]
The worm also copies itself to the Windows System (System32 on Windows NT)
directory with the filename "Explore.exe" or "_setup.exe", and modifies the
WIN.INI file (Windows 9x) or the registry (on Windows NT). This results in the
program being executed each time Windows is started. You may find this file
under your Windows Temporary directory or your attachments directory, depending
on the e-mail client you are using. E-mail clients will often temporarily store
e-mail attachments in these directories under different temporary names. The
worm will continue to search through your Inbox as long as it is still running
in memory. Thus, any new messages that are received will be replied to in the
above manner. [] Payload: In addition, when Worm.ExploreZip is executed, it
searches drives C through Z of your computer system and selects a series of
files to destroy based on file extensions (including .h, .c, .cpp, .asm, .doc,
.xls, .ppt) by calling CreateFile(), and making them 0 bytes long. You may
notice extended hard drive activity when this occurs. This can result in
non-recoverable data. This payload routine continues to happen while the worm is
active on the system. Thus, any newly created files matching the extensions list
will be destroyed as well. Symantec provides data recovery services which can be
found at

http://www.symantec.com/techsupp/recovery.
However, due to the nature of the payload data recovery may take several
days and may not be possible in all cases. 
[]
Repair Notes: 
To remove this worm, you should perform the following steps: 
Remove the line

run=C:\WINDOWS\SYSTEM\Explore.exe

or

run=C:\WINDOWS\SYSTEM\_setup.exe

from the WIN.INI file for Windows 9x systems.

For Windows NT, remove the registry entry

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

which will refer to "Explore.exe" or "_setup.exe"

Delete the file "Explore.exe" or "_setup.exe". You may need to reboot first or
kill the process using Task Manager or Process View (if the file is currently in
use). Norton AntiVirus users can protect themselves from this worm by
downloading the current virus definitions either through LiveUpdate or from the
following webpage: http://www.symantec.com/avcenter/download.html Write-up by:
Eric Chien Written: June 6, 1999 Update: June 10, 1999


--                 
Bye,

Willem-Jan Markerink


      The desire to understand 
is sometimes far less intelligent than
     the inability to understand


<w.j.markerink@xxxxx>
[note: 'a-one' & 'en-el'!]