Worm.ExploreZip information from SARC

Aliases:		W32.ExploreZip Worm
Infection Length:	210,432 bytes
Area of Infection:	Windows System directory,Email Attachments
Likelihood:		Common, Worldwide
Detected as of:	June 6, 1999
Characteristics:	Worm, Trojan Horse

Overview: 

Worm.ExploreZip is a worm that contains a malicious payload. The worm utilizes Microsoft Outlook, Outlook Express, Exchange to mail itself out by replying to unread messages in your Inbox. The worm will also search the mapped drives and networked machines for Windows installations and copy itself to the Windows directory of the remote machine and modify the WIN.INI accordingly.

The payload of the worm will destroy any file with the extension .h, .c, .cpp, .asm, .doc, .ppt, or .xls on your hard drives, any mapped drives, and any network machines that are accessible each time it is executed. This continues to occur until the worm is removed.

You may receive the worm as an attachment called zipped_files.exe. When run, this executable will copy itself to your Windows System directory with the filename Explore.exe or to your Windows directory with the filename _setup.exe. The worm modifies your WIN.INI or registry such that the file Explore.exe is executed each time you start Windows

The worm was first discovered in Israel and submitted to the Symantec AntiVirus Research Center on June 6, 1999.

Technical Description: 

Worm.ExploreZip utilizes MAPI commands and Microsoft Outlook/Microsoft Exchange on Windows 9x and NT systems to propagate itself.

The worm e-mails itself out as an attachment with the filename zipped_files.exe in reply to unread messages it finds in your Inbox. Once it responds to a message in your Inbox, it will mark it so it will not respond to the message again. The e-mail message sent may appear to come from a known e-mail correspondent in response to a previously sent e-mail with the appropriate subject line and contains the following text:

Hi Recipient Name! 
I received your email and I shall send you a reply ASAP. 
Till then, take a look at the attached zipped docs. 
bye or sincerely Recipient Name

The worm will continue to monitor the Inbox for new messages and respond accordingly.

The worm will also search the mapped drives and networked machines for Windows installations and copy itself to the Windows directory of the remote machine and modify the WIN.INI accordingly.

Once the attachment is executed, it may display the following window:

The button displayed is the "OK" button and is dependent on the language of the infected operating system. The example above was taken from a Hebrew Windows system.

The worm also copies itself to the Windows System (System32 on Windows NT) directory with the filename Explore.exe or _setup.exe and also modifies the WIN.INI file (Windows 9x) or the registry (on Windows NT) so, the program is executed each time Windows is started. You may find this file under your Windows Temporary directory or your attachments directory as well depending on the e-mail client you are using. E-mail clients will often temporarily store e-mail attachments in these directories under different temporary names.

Payload: 

In addition, when Worm.ExploreZip is executed, it also searches through the C through Z drives of your computer system and accessible network machines for particular files. The worm selects a series of files to destroy of multiple file extensions (including .h, .c, .cpp, .asm, .doc, .xls, .ppt) by calling CreateFile() and making them 0 bytes long. One may notice extended hard drive activity when this occurs. This can result in non-recoverable data.

This payload routine continues to happen while the worm is active on the system. Thus, any newly created files matching the extensions list will be destroyed as well. 

Repair Notes: 

Symantec AntiVirus Research Center has also provided a small utility called KILL_EZ to remove the virus from memory to avoid rebooting from a clean system disk. For more information on KILL_EZ (Kill_EZ Text below) utility, refer to the following URL: http://www.sarc.com/avcenter/kill_ez.html 

To remove this worm manually, one should perform the following steps:

1. Remove the line

run=<Windows System Path>\Explore.exe 

or

run=<Windows System Path>\_setup.exe

from the WIN.INI file for Windows 9x systems.

For Windows NT, remove the registry entry

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

which will refer to Explore.exe or _setup.exe

2. Delete the file Explore.exe or _setup.exe. One may need to reboot first or kill the process using Task Manager or Process View (if the file is currently in use).

Norton AntiVirus users can protect themselves from this worm by downloading the current virus definitions either through LiveUpdate or from the following webpage:

http://www.symantec.com/avcenter/download.html 

Write-up by: Eric Chien 
Written: June 6, 1999 
Update: June 11, 1999
--------------------------------------------------------------
Kill-EZ Text

Information and Protection for Worm.ExploreZip

worm / trojan horse: KILL_EZ.EXE Tool

Introduction: The KILL_EZ.EXE tool is designed to remove an active Worm.ExploreZip infection from a Windows 95, Windows 98 or Windows NT computer. This tool will perform the following tasks:

1. It will verify that the system is infected by Worm.ExploreZip. If so, it will proceed with the following steps.

2. Under Windows NT, it will remove changes made to the Windows Registry by the worm. Specifically, it will delete the registry value:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run 

3. Under Windows 95, it will remove changes made to the WIN.INI file, found in the Windows directory. Specifically, it will delete the line run=<Windows System Path>\Explore.exe

4. The tool will then completely removes the Worm.ExploreZip program from memory.

5. The tool will then delete the Explore.exe file from the Windows system directory: Under Windows 95, or Windows 98, it will delete C:\WINDOWS\SYSTEM\Explore.exe (the tool will locate the proper Windows directory if yours is named differently). Under Windows NT, it will delete C:\WINDOWS\SYSTEM32\Explore.exe (the tool will locate the proper Windows directory if yours is named differently).

6. Finally, the tool will delete the _Setup.exe file from the Windows directory:
Under Windows 95, or Windows 98, it will delete C:\WINDOWS\_Setup.exe (the tool will locate the proper Windows directory if yours is named differently). Under Windows NT, it will delete C:\WINDOWS\_Setup.exe (the tool will locate the proper Windows directory if yours is named differently).

 Usage: To use the KILL_EZ tool, use any *one* of the following methods:

1. Double click on the file from your desktop of Explorer.
2. Run KILL_EZ.EXE from a DOS box.
3. Use the "Run" command from the Windows Start menu.
4. Place the KILL_EZ.EXE in a standard login script.
5. The KILL_EZ.EXE program requires no command line arguments. 

It will display one of several different messages upon completion:

"This system has not been infected by Worm.ExploreZip" 
This message will be displayed if the tool does not detect the presence of Worm.ExploreZip. There is no harm in doing this and the program will exit normally after displaying this message.

"All Worm.ExploreZip registry modifications have been removed." 

1. This message is displayed if the tool succesfully removed the registry modification in a Windows NT system. "Unable to delete the registry key. Please make sure to run this tool from an administrator account." 

2. This message is displayed if the tool failed to remove the registry modification in a Windows NT system. The tool can only remove the registry key if run by a user with administrator right. "All Worm.ExploreZip WIN.INI modifications have been removed." 

3. This message is displayed if the tool succesfully removed the INI file modification in a Windows 9x system. "Unable to fix the WIN.INI file. You must remove the line manually from the file." 

4. This message is displayed if the tool failed to remove the INI file modification in a Windows 9x system. The file being opened by some editor may cause this. "ExploreZip process terminated succesfully. Please wait... 

Deleted ExploreZip file: file_name 
Your system has now been completely cleaned!" 


5. This message is displayed if the tool succesfully remove the worm from the system memory and delete the worm file. "Unable to remove Worm.ExploreZip from memory. You will have to reboot the machine and then manually delete the following file: file_name " 

6. This message is displayed if the tool failed to remove the worm footprint in the memory. "Unable to delete ExploreZip file: file_name "  You will need to restart your system and then manually delete this file. 

7. This message is displayed if the tool failed to delete the worm file.

Troubleshooting: 
The tool returns the following error codes:
0 if the system is not infected with Worm.ExploreZip
1 if the system is infected, and the worm has been removed.
2 if the system is infected, and the worm can not be removed.

If you have any problem with this tool, please contact Symantec technical support for more details.

You can also find detail information on how to manually remove the file, registry entry, or INI setting in the Worm.ExploreZip info page. (venc/data/worm.explore.zip.html)
----------------------------------------------------------------------
Virus Name W32/ExploreZip.worm 

Date Added 6/10/99 

Virus Characteristics Drops the file explore.exe, modifies WIN.INI with run=c:\windows\system\explore.exe 

Indications Of Infection 
This worm attempts to invoke the MAPI aware email applications MS Outlook, MS Outlook Express or MS Exchange. Creates a new message addressed to recipients in address book with message

I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs.

An file (the worm) named "zipped_files.exe" is attached. Users who run this attachment will be presented with a fake error message

"Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help."

This worm searches the local hard drive for the following file types, and when found will delete them: .c, .cpp, .asm, .doc, .xls, .ppt 

Method Of Infection Variants  Aliases 
Not Known           Not Known Not Known

Virus Information:
Discovery Date: 6/9/99
Origin: Israel
Length: Not Known
Type: Win32
Prevalence: High Risk