Proactive IT Security
 

The worm ExploreZip is in the wild

[Malware discussion, Spreading mechanisms]

Security Information  Week 23, 1999

A new, malicious worm is reported in the wild. So far reports has come from France, Germany, Israel, Czechia and the US.

The worm - ExploreZip - 210432 bytes - uses similar techniques like those first used with the Melissa macro virus. Unlike Melissa, however, this worm has a destructive payload.

ExploreZip propagates as an attachment to e-mails on computers using Microsoft Outlook as mail client. The e-mail body seems to come from a person which the recipient has mailed with before. The text is:

Hi 'recipient name'!

I received your email and I shall send you a reply ASAP.

Till then, take a look at the attached zipped docs.

bye (or sincerely) 'sender name'

Attached to the e-mail is the file zipped_files.exe which is the worm. When the attachment is executed the worm does the following:

  • It sends the e-mail described above to e-mail addresses in your mail in-box  with mail  not replied to. It attach itself to these mails.
  • It searches through local and network drives and copies itself to the Windows system directory of any Windows installation it finds (default is WINDOWS\SYSTEM. It copies itself with the name EXPLORE.EXE - sometimes also _SETUP.EXE.
  • On Windows 95/98 systems it then modifies the WIN.INI file by inserting the command to run EXPLORE.EXE in the RUN command each time Windows is started. On Windows NT it also creates the registry keys

    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\     CurrentVersion\Windows\Run = Explore.exe or HKEY_CURRENT_USER\Software\Microsoft\Windows NT\     CurrentVersion\Windows\Run = _setup.exe

  • The worm also has a very destructive payload. Every time it is executed it searches your disk drives from C to Z and destroys files with extensions .h, .c, .cpp, .asm, .doc, .xls, and .ppt by making them of zero bytes length. Thus a lot of Microsoft Office documents and source code for assembler and C programs will be lost.

The following operating systems are vulnerable:

  • Windows 95/98
  • Windows NT

Norman's virus definition files dated 10 June 1999 or later detects the virus. It is highly recommended that users install these as soon as possible.

Removal

Windows 95/98

You manually have to edit the WIN.INI file and remove the reference to EXPLORE.EXE or _SETUP.EXE on the RUN= line. WIN.INI is located in the Windows directory. Then you have to delete the EXPLORE.EXE or _SETUP.EXE in Windows' system directory.

Windows NT

Remove the above-mentioned registry key(s) and proceed with the same actions as described above for Windows 95/98.

Per Olav Førland