Name
W32/ExploreZip.worm.pak
Aliases
I-Worm.ZippedFiles, MiniZip, W32/ExploreZip.worm.pak, Worm.ExploreZip(pack)
Variants
None
Date Added
11/24/99
Information
| Discovery Date: | 11/24/99 | |
| Type: | Virus | |
| SubType: | Win32 | |
| Risk Assessment: | High Risk-Outbreak | |
| Minimum DAT: | 4054 | |
| Minimum Engine: | 4.0.25 |
Characteristics
Information:
"I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs. "
The subject line is not constant as the message is a reply to a message sent to the infected user. The worm (named "zipped_files.exe" as the attachment, with a file size of 120,495 bytes (with compression). The file has a Winzip icon which is designed to fool unsuspecting users to run it as a self-extracting file. User who run this attachment will be presented with a fake error message that says:
"Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help."
Payload Notice
This worm will locate systems drives which are NOT mapped drives using functions from MPR.DLL and Network Neighborhood! On these systems, the WIN.INI is modified with a run statement to load a file called _SETUP.EXE from the Windows path, and the file _SETUP.EXE is copied to the Windows path. These systems will become infected when restarted. This worm will only try to such systems once, whereas systems which are mapped drives are constantly attempted to re-infect. Secondly, a machine infected via another share will switch between _setup and explore per reboot.
This is a 32bit Worm that travels by sending email messages to users. It drops the file explore.exe and modifies either the WIN.INI (Win9x) or modifies the registry (WinNT).
This worm attempts to invoke the MAPI aware email applications as in MS Outlook, MS Outlook Express and MS Exchange. This worm replies to messages received by sending an an email message with the following body:
This worm has a payload. Immediately after execution it will search all local drives for the following files types .c, .cpp, .h, .asm, .doc, .xls, or .ppt. When found, they are opened for write and immediately closed leaving them with a zero byte count. Approximately 30 minutes after infection this process is repeated.
Symptoms
Existence of any of the 3 file names mentioned above [note EXPLORER.EXE is a valid name - do not confuse this name]. Process running as mentioned above, files being corrupted / deleted as mentioned above.
Method Of Infection/Installation
EXTRA Drivers
Not Available...
VirusScan 4 with the 4.0.25 engine (and above) download here
Dr. Solomon's AVTK 7.99 and above download here
Removal Instructions A tool is available from AVERT Tools web page named "killezip.exe". This tool will handle terminating the service as well as locating the copies of the worm, removing the registry entries and removing the entry from the WIN.INI file. Alternatively, manual removal is possible using the instructions below.
Terminating the service running at the local machine is the first thing that should be done. After the process is terminated, delete the files which are part of the worm process as listed above. If you are unable to terminate the process using the task list (CTRL-ALT-DEL), use the steps below to manually edit your configuration file on Windows 9x systems.
Windows 95/98
WinNT
In Windows NT, this worm will run as a process by one of the following names - "explore", "zipped_f;", or "_setup;" in WinNT Task Manager. You can experience high CPU utilization when the process is running. End process names which match, noting that "explorer;" is the default Windows shell and is a valid task!
1. Run the WinNT Registry Editor - Click Start > Run > Open REGEDIT (not REGEDT32).
Use the required DAT referenced to detect this virus in the executable at the local system, and in email attachments using applicable products. If an EXTRA.DAT is used, be sure to stop the running scanning service and the restart it for the DAT file to be applied by the engine.
1. Run the System Configuration Editor
2. Select the Start menu from your desktop and Run SYSEDIT.EXE
3. Select the C:\WINDOWS\WIN.INI window.
4. In the line run =, remove listings that match either of these
run=C:\WINDOWS\SYSTEM\EXPLORE.EXE
run=C:\WINDOWS\_SETUP.EXE
5. Select File > Save, then Exit.
6. Select the Start menu and Shutdown -
7. Choose Restart the computer in MS-DOS mode and click YES (This action purges EXPLORE.EXE from system memory.)
8. Once your PC is in DOS, type EXIT to return to Windows. (This action reloads Windows without EXPLORE.EXE in memory.)
9. In Windows, remove the file, EXPLORE.EXE, from your system
10. Click Start > Find > Files or Folders
11. In the Find: All Files dialog box, type EXPLORE.EXE in the Name field
12. Click Find Now
13. Delete EXPLORE.EXE
14. Repeat step 10 through 13 for both _SETUP.EXE and ZIPPED_FILES.EXE
2. Locate the hive [HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows].
3. Highlight the following key "run=C:\WINNT\System32\Explore.exe" and remove by pressing the Delete button.
4. Edit WIN.INI and remove either of these lines if they exist
run=c:\winnt\system32\explore.exe
run=c:\winnt\_setup.exe
5.Restart Windows NT - Click Start > Shutdown. Select Restart and click OK. (Your system will now reboot.)
6. Remove the file, EXPLORE.EXE, from your system
7. Click Start > Find > Files or Folders
8. In the Find: All Files dialog box, type EXPLORE.EXE in the (Named) field
9. Click Find Now - delete EXPLORE.EXE
10. Repeat Step 6 through 9 for _SETUP.EXE and ZIPPED_FILES.EXE.