ExploreZip Worm top1.gif (4084 bytes)
 

top2.gif (544 bytes)
 

 

CompServ Home

Documentation
FAQ
Virus Central
Newsletter
Printing
Projects
Linux
Staff
Sites of Interest

LRDC Home








 


 

Virus Alert: ExploreZip Worm

TO: LRDC Faculty and Staff

FROM: LRDC COMPUTING SERVICES

DATE:  JUNE 11, 1999

SUBJECT:  VIRUS ALERT:  Worm.ExploreZip

A new and dangerous virus, called Worm.ExploreZip, is currently being spread through the Internet, deleting data on Windows machines and then
mailing itself to other users.   It can also destroy files over a network and affect Macintosh computers on multi-platform networks.

Like the recent Melissa virus, ExploreZip mails itself under a previous victim's name and return address, to users with whom he or she has
exchanged e-mail.  It goes a step further than Melissa by sending itself, automatically, as a reply to each message that arrives in an
infected system's "Inbox" if the system is running Microsoft Outlook, Outlook Express, or Microsoft Exchange.   To deceive the recipient, the
outgoing copies of the virus have the same subject line as the newly arrived mail.  Most people would not suspect that a message arriving as a
part of an ongoing conversation would contain a virus.

The message that carries the virus is said to contain the following text:

              Hi <recipient name>!

               I received your email and I shall send you a
               reply ASAP.

               Till then, take a look at the attached zipped
               docs.

               bye.

The attached file is a Windows program with the name "zipped_files.exe". If a Microsoft Windows user clicks on the icon representing the attachment,
the malicious program is executed.

During infection, the victim may see a dialogue box containing a button with Hebrew characters.

The virus will destroy any file with the extension .h, .c, .cpp, .asm, .doc, .ppt, or .xls on your hard drive(s), as well as any mapped drives,
each time it is executed. It will also search the mapped drives for Windows installations and copy itself to the Windows System directory with the
filename "Explore.exe" or your Windows directory with the filename "_setup.exe."  Then, the worm modifies the WIN.INI file or registry so that
"Explore.exe" is executed each time you start Windows. This will infect systems without e-mail clients.

Please take the following precautions:

1) Do Not open ANY attachments without first scanning them with an Antivirus program with the most up-to-date virus definitions.  Even if you
know the person who sent it, do not open it as the virus is transmitted through your friends and colleagues email program.  Your computer CAN NOT
be infected if you do not open the attachment.

2) Make sure your virus program has the most up-to-date definitions.  Please call Computing Services at 4-7033 if you need assistance.

3) Run a full virus scan as you may have become infected before you updated your virus software.  The virus was first detected on Sunday, June 6th.

4) Beware of "mutant strains."  Every major virus is soon copied by someone who changes it slightly.  Therefore, the name of the attachment and the
text of the message will likely change.  These new strains will also require new definitions.  We will keep you informed and will make new
definitions available on their Shared volume of each file server.

Please contact Computing Services at 4-7033 with any questions.
 
For more information, see:
http://www.symantec.com/avcenter/venc/data/worm.explore.zip.html
 
 

 
     Last edited 06/22/00