ExploreZip worm destroys files on infected and connected systems

virus-explorezip (8238) The risk level is classified as HighHigh Risk

Description:

ExploreZip is a worm propagated by an email containing an attached file named zipped_files.exe. The message contains variable subject lines, but always contains the following body:

I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.

Computers can become infected with the ExploreZip worm when a user opens the infected attachment. Upon infection, ExploreZip performs the following actions:

  • Displays error message: "Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help."
  • Searches drives C: to Z: (local and networked drives) for .doc, .xls, and .ppt, .c, .cpp, .h, and .asm files.
  • Attempts to erase any file with the above file name extensions, resulting in a zero-byte file.
  • Creates a copy of itself in the SYSTEM (Windows 9x) or System32 (Windows NT) directory.
  • On Windows 9x, adds 'run=C:\WINDOWS\SYSTEM\Explore.exe' to the WIN.INI file.
  • On Windows NT, modifies the HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows registry key with the value 'run = "C:\WINNT\System32\Explore.exe"'
  • Attempts to propagate using file sharing to networked systems by copying itself as _setup.exe and adding 'run=_setup.exe' to the WIN.INI file on the networked system.
  • Attempts to propagate using email by replying to received mail with the infected mail and attachment.

Platforms Affected:

  • Microsoft, Windows 95
  • Microsoft, Windows 98
  • Microsoft, Windows NT 4.0

Remedy:

All users and system administrators should regularly update antivirus software and initiate a virus scan.

Carefully examine any attachment (especially its file name extension) before opening, saving, or executing it. Do not click attachments (even if the message or attachment looks friendly) unless you are expecting to receive an attachment from the sender. Delete any email messages or attachments you believe are suspicious.

Windows 95 and Windows 98: To manually remove the worm:

  • Press Ctrl-Alt-Delete and open the Task Manager.
  • Select the Zipped_files.ex process and click End Task.
  • Search for and delete all copies of zipped_file.exe.
  • Delete the C:\Windows\System\Explore.exe file.
  • Edit C:\Windows\win.ini and remove 'run=c:\windows\system\explore.exe'.

Windows NT: To manually remove the worm:

  • Press Ctrl-Alt-Delete and open the Task Manager.
  • Select the _setup.exe process and click End Task.
  • Search for and delete all copies of zipped_file.exe.
  • Delete the C:\Winnt\System32\Explore.exe and C:\Winnt\_setup.exe files.
  • Use Registry Editor to delete the value of the HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows\run registry key.

Consequences:

File Manipulation

References:

Reported:

Jun 11, 1999

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page