Win32:ExploreZIP
has been discovered In the Wild during June 1999. The worm e-mails itself as an attachment called "ZIPPED_FILES.EXE". This attachment is 210432 bytes long. The subject of the message is not constant (actually it is a reply to some previous mail). The text in the message says: Hi
I
received your email and I shall send you a reply ASAP.
Till
then, take a look at the attached zipped docs.
bye
When the attachment is executed, it may display the error window about non-valid ZIP archive. Worm then copies itself to the Windows system directory under the name EXPLORE.EXE and adds one line into the WIN.INI file or into registry. That modification causes worm activation when Windows is started. Worm gets the e-mail addresses (using MAPI commands and MS Outlook) to propagate to other computers. Worm is also able to search other shared drives for Windows installations and to copy itself there and modify WIN.INI there. Therefore, even if user will not execute the attachment, he could be infected if someone else has full access rights to his disk.
This Worm contains very nasty payload - it searches the files with extension .C, .CPP, .H, .ASM, .DOC, .XLS and .PPT on all disks (even the network and shared disks with write access rights) and destroys them by making them zero bytes long. This could cause non-recoverable damage!
To remove Win32:ExploreZIP under Windows 9x, please delete the file
EXPLORE.EXE in the Windows system directory and remove the following line
from the WIN.INI file before restarting:
run=C:\WINDOWS\SYSTEM\Explore.exe
To remove it inder Windows NT, kill the process named "explore" in the
WinNT Task Manager. Then run REGEDIT and locate the item [HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows] and remove the following key before restarting:
"run"="C:\WINNT\System32\Explore.exe"
Then delete the EXPLORE.EXE file in the Windows NT system directory.
Any avast! with VPS file dated after 10th June 1999 is able to detect this worm.
