W32/ExploreZip.worm@M

This page shows details and results of our analysis on the malware W32/ExploreZip.worm@M

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum Engine

5600.1067

File Length

210,432 bytes

Description Added

1999-09-07

Description Modified

2003-01-22

Malware Proliferation

Characteristics

-- Update January 8, 2003 --
A repackaged version of this worm was discovered in the wild. The file size of the executable is 91,048 bytes. Detection is included in the 4241 DAT release. This threat is considered to be Low-Profiled due to the About.com article Variant of ExploreZip Discovered

This is a 32bit Worm that travels by sending email messages to users. It drops the file explore.exe and modifies either the WIN.INI (Windows 9x/ME) or modifies the registry (Windows NT/2K/XP).

This worm attempts to invoke the MAPI aware email applications as in MS Outlook, MS Outlook Express and MS Exchange. This worm replies to messages received by sending an an email message with the following body:

"I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
"

The subject line is not constant as the message is a reply to a message sent to the infected user. The worm (named "zipped_files.exe" as the attachment, with a file size of 210,432 bytes. The file has a Winzip icon which is designed to fool unsuspecting users to run it as a self-extracting file. User who run this attachment will be presented with a fake error message that says:

"Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help."

Payload Notice

This worm has a payload. Immediately after execution it will search all local and network drives for the following files types .c, .cpp, .h, .asm, .doc, .xls, or .ppt. When found, they are opened for write and immediately closed leaving them with a zero byte count. Approximately 30 minutes after infection this process is repeated. Files that have been affected by this payload will need to be restored from backup. Repair is not possible.

This worm will locate system drives which are NOT mapped drives using functions from MPR.DLL and Network Neighborhood! On these systems, the WIN.INI is modified with a run statement to load a file called _SETUP.EXE from the Windows path, and the file _SETUP.EXE is copied to the Windows path. These systems will become infected when restarted. This worm will only try to infect such systems once, whereas systems which are mapped drives are constantly attempted to be re-infected. Secondly, a machine infected via another share will switch between _setup and explore per reboot.

Symptoms

Existence of any of the 3 file names mentioned above [note EXPLORER.EXE is a valid name - do not confuse this name]. Process running as mentioned above, files being corrupted / deleted as mentioned above.

Method of Infection

Running the file will directly infect the local system by installing itself and running memory resident, then it will use browsing of the network to locate available shares.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Alternatively, manual removal is possible using the instructions below.

Terminating the service running at the local machine is the first thing that should be done. After the process is terminated, delete the files which are part of the worm process as listed above. If you are unable to terminate the process using the task list (CTRL-ALT-DEL), use the steps below to manually edit your configuration file on Windows 9x systems.

Windows 95/98/ME
1. Run the System Configuration Editor
2. Select the Start menu from your desktop and Run SYSEDIT.EXE
3. Select the C:\WINDOWS\WIN.INI window.
4. In the line run =, remove listings that match either of these

run=C:\WINDOWS\SYSTEM\EXPLORE.EXE run=C:\WINDOWS\_SETUP.EXE
5. Select File > Save, then Exit.
6. Select the Start menu and Shutdown -
7. Choose Restart the computer in MS-DOS mode and click YES (This action purges EXPLORE.EXE from system memory.)
8. Once your PC is in DOS, type EXIT to return to Windows. (This action reloads Windows without EXPLORE.EXE in memory.)
9. In Windows, remove the file, EXPLORE.EXE, from your system
10. Click Start > Find > Files or Folders
11. In the Find: All Files dialog box, type EXPLORE.EXE in the Name field
12. Click Find Now
13. Delete EXPLORE.EXE
14. Repeat step 10 through 13 for both _SETUP.EXE and ZIPPED_FILES.EXE

Windows NT/2K/XP

In Windows NT, this worm will run as a process by one of the following names - explore, zipped_f, zipped_files or _setup in WinNT Task Manager. You can experience high CPU utilization when the process is running. End process names which match, noting that explorer is the default Windows shell and is a valid task!

1. Run the WinNT Registry Editor - Click Start > Run > Open REGEDIT (not REGEDT32).
2. Locate the hive [HKEY_CURRENT_USER\Software\Microsoft\
WindowsNT\CurrentVersion\Windows].
3. Highlight the following key

run=C:\WINNT\System32\Explore.exe

and remove by pressing the Delete button.
4. Edit WIN.INI and remove either of these lines if they exist

run=c:\winnt\system32\explore.exe run=c:\winnt\_setup.exe


5.Restart Windows NT - Click Start > Shutdown. Select Restart and click OK. (Your system will now reboot.)
6. Remove the file, EXPLORE.EXE, from your system
7. Click Start > Find > Files or Folders
8. In the Find: All Files dialog box, type EXPLORE.EXE in the (Named) field
9. Click Find Now - delete EXPLORE.EXE
10. Repeat Step 6 through 9 for _SETUP.EXE and ZIPPED_FILES.EXE.

Variants