What is ExploreZip.worm and what should I do?
June 22, 1999
A. A new virus was discovered on 10/06/1999 with the following text inas the body:
"I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs."
The subject line is not constant as the message is a reply. The worm (named"zipped_files.exe") is attached, with a file size of 210,432 bytes.The file has a Winzip icon which is designed to fool unsuspecting users to runit as a self-extracting file. User who run this attachment will be presentedwith a fake error message that says
"Cannot open file: it does not appear to be a valid archive. If this fileis part of a ZIP format backup set, insert the last disk of the backup set andtry again. Please press F1 for help."
The virus then searches for the following files and replaces them with 0 blockfiles:
.c
.cpp
.h
.asm
.doc
.xls
.ppt
Check you anti-virus software sites for a fix, http://www.nai.comhas one. To manually repair:
Remove the line run=C:WINDOWSSYSTEMExplore.exe from the WIN.INI file
Edit the registry (using regedit.exe or regedt32.exe) and check the value HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsrun does not call explore.exe. If it does clear the value.
Delete the file "C:WINDOWSSYSTEMEXPLORE.EXE". You may need to reboot first,
if the file is currently in use (or stop the process using task manager).
I've had first hand experienceand it is VERY nasty. There are two variants are named TROJ_EXPLORE.ZIP and I-Worm.ZippedFiles.
About the Author
You May Also Like