This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
This is a 32bit Worm that travels by sending email messages to users. It drops the file explore.exe and modifies either the WIN.INI (Windows 9x/ME) or modifies the registry (Windows NT/2K/XP).
This worm attempts to invoke the MAPI aware email applications as in MS Outlook, MS Outlook Express and MS Exchange. This worm replies to messages received by sending an an email message with the following body:
"I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs. "
The subject line is not constant as the message is a reply to a message sent to the infected user. The worm (named "zipped_files.exe" as the attachment, with a file size of 210,432 bytes. The file has a Winzip icon which is designed to fool unsuspecting users to run it as a self-extracting file. User who run this attachment will be presented with a fake error message that says:
"Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help."
This worm has a payload. Immediately after execution it will search all local and network drives for the following files types .c, .cpp, .h, .asm, .doc, .xls, or .ppt. When found, they are opened for write and immediately closed leaving them with a zero byte count. Approximately 30 minutes after infection this process is repeated. Files that have been affected by this payload will need to be restored from backup. Repair is not possible.
This worm will locate system drives which are NOT mapped drives using functions from MPR.DLL and Network Neighborhood! On these systems, the WIN.INI is modified with a run statement to load a file called _SETUP.EXE from the Windows path, and the file _SETUP.EXE is copied to the Windows path. These systems will become infected when restarted. This worm will only try to infect such systems once, whereas systems which are mapped drives are constantly attempted to be re-infected. Secondly, a machine infected via another share will switch between _setup and explore per reboot.
Running the file will directly infect the local system by installing itself and running memory resident, then it will use browsing of the network to locate available shares.
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Alternatively, manual removal is possible using the instructions below.
Terminating the service running at the local machine is the first thing that should be done. After the process is terminated, delete the files which are part of the worm process as listed above. If you are unable to terminate the process using the task list (CTRL-ALT-DEL), use the steps below to manually edit your configuration file on Windows 9x systems.
1. Run the System Configuration Editor
2. Select the Start menu from your desktop and Run SYSEDIT.EXE
3. Select the C:\WINDOWS\WIN.INI window.
4. In the line run =, remove listings that match either of these
In Windows NT, this worm will run as a process by one of the following names - explore, zipped_f, zipped_files or _setup in WinNT Task Manager. You can experience high CPU utilization when the process is running. End process names which match, noting that explorer is the default Windows shell and is a valid task!
1. Run the WinNT Registry Editor - Click Start > Run > Open REGEDIT (not REGEDT32).
2. Locate the hive [HKEY_CURRENT_USER\Software\Microsoft\
3. Highlight the following key
and remove by pressing the Delete button.
4. Edit WIN.INI and remove either of these lines if they exist
5.Restart Windows NT - Click Start > Shutdown. Select Restart and click OK. (Your system will now reboot.)
6. Remove the file, EXPLORE.EXE, from your system
7. Click Start > Find > Files or Folders
8. In the Find: All Files dialog box, type EXPLORE.EXE in the (Named) field
9. Click Find Now - delete EXPLORE.EXE
10. Repeat Step 6 through 9 for _SETUP.EXE and ZIPPED_FILES.EXE.