:: NORMAN :: Antivirus | Firewall

Proactive IT security

Home

News

Support

Partner

Select country

Select product

Virus & security » Security Information » 1999 » The worm ExploreZip is in the wild

The worm ExploreZip is in the wild

Add to My Norman Bookmarks

Security Information Week 23, 1999

A new, malicious worm is reported in the wild. So far reports has come from France, Germany, Israel, Czechia and the US.

The worm - ExploreZip - 210432 bytes - uses similar techniques like those first used with the Melissa macro virus. Unlike Melissa, however, this worm has a destructive payload.

ExploreZip propagates as an attachment to e-mails on computers using Microsoft Outlook as mail client. The e-mail body seems to come from a person which the recipient has mailed with before. The text is:

Hi 'recipient name'!
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
bye (or sincerely) 'sender name'

Attached to the e-mail is the file zipped_files.exe which is the worm. When the attachment is executed the worm does the following:

It sends the e-mail described above to e-mail addresses in your mail in-box with mail not replied to. It attach itself to these mails.
It searches through local and network drives and copies itself to the Windows system directory of any Windows installation it finds (default is WINDOWS\SYSTEM. It copies itself with the name EXPLORE.EXE - sometimes also _SETUP.EXE.
On Windows 95/98 systems it then modifies the WIN.INI file by inserting the command to run EXPLORE.EXE in the RUN command each time Windows is started. On Windows NT it also creates the registry keys
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\ CurrentVersion\Windows\Run = Explore.exe or HKEY_CURRENT_USER\Software\Microsoft\Windows NT\ CurrentVersion\Windows\Run = _setup.exe
The worm also has a very destructive payload. Every time it is executed it searches your disk drives from C to Z and destroys files with extensions .h, .c, .cpp, .asm, .doc, .xls, and .ppt by making them of zero bytes length. Thus a lot of Microsoft Office documents and source code for assembler and C programs will be lost.

The following operating systems are vulnerable:

Windows 95/98
Windows NT

Norman's virus definition files dated 10 June 1999 or later detects the virus. It is highly recommended that users install these as soon as possible.

Removal

Windows 95/98

You manually have to edit the WIN.INI file and remove the reference to EXPLORE.EXE or _SETUP.EXE on the RUN= line. WIN.INI is located in the Windows directory. Then you have to delete the EXPLORE.EXE or _SETUP.EXE in Windows' system directory.

Windows NT

Remove the above-mentioned registry key(s) and proceed with the same actions as described above for Windows 95/98.

Per Olav Førland

CURRENT VIRUS THREATS

Medium risk
24	Oct	07	Pidief.A
24	Jan	07	Tibs
25	Sep	06	Stration
18	Jan	06	Small.KI
12	Sep	05	Bagle.CS
17	Aug	05	Zotob.B
08	Jun	05	Mytob
17	Feb	05	MyDoom.AQ
26	Jul	04	MyDoom.L
25	Mar	04	Netsky.P
Low risk
05	Mar	07	Viking.GT
27	Jan	06	Feebs
16	Jan	05	MyDoom.AH
22	Apr	04	SDBot
30	Mar	04	Netsky.Q

Latest virus definition file published

>>	2008-07-24 (UTC 17:02)

Security Information

>>	The Internet Crime Complaint Center's report for 2007
>>	2007

Security News and Advisories

>>	No critical updates for Microsoft systems in July 2008
>>	Three critical updates for Microsoft systems in June 2008

Norman is one of the world’s leading companies within the field of data security. With products for antivirus (virus control), personal firewall, antispam and antiadware, the company plays an important role in the data industry.