A Deep Dark Dose
This week we bring news that an old evil, ExploreZip has suddenly accelerated to the top of the horror indices. This virus was first detected in November 1999. As antivirus vendors rushed to update their products, the virus continued to change. And each new version was more malevolent than its predecessor. More virulent and harder to detect or eliminate infectors. Right now there are several strains that include ExploreZip.worm.120495, MiniZip, TROJ_EXPZIPWMPAK, W32/ExploreZip.pak, W32/ExploreZipB, and Worm.ExploreZip(pack). The last is a compressed version of the original; a technique that helps hide it from virus scanners.
Well the newest strain, W32/ExploreZip.worm.pak.a is on the loose. This 32-bit Worm spreads through email and drops a modified EXPLORE.EXE file. It also modifies the WIN.INI (Windows 95/98) or the Registry (Windows NT). And invokes MAPI applications like Outlook and Exchange.
The worm auto-replies to received email with "I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs." The subject line depends on the original email's subject. The worm (usually zipped_files.exe) is attached and has a 120,495 byte file size. To help camouflage its real intentions, the attachment displays a Winzip icon.
Clicking the attachment gets a (fake) error message "Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help." Meanwhile, the worm has installed itself.
But that's not all. A hidden infector searches all mapped drives for .C, .CPP, .H, .ASM, .DOC, .XLS, or .PPT files. It then opens each one, deletes its content and closes the file with a zero byte count. This renders the file absolutely, completely unrecoverable. This process repeats itself 30 minutes after the computer is first infected or booted. The worm also locates drives that are not mapped but available as shared network resources.
The host system's WIN.INI is modified to load _SETUP.EXE from the primary infected computer's Windows path. When rebooted, the remote system too will be infected. However, the worm only attempts to infect such systems once. However mapped systems will be subject to the 30-minute infection cycle. Also an infected remote machine will keep switching between _SETUP and EXPLORE every other reboot. Your system may be infected if any of these files are found. Note the difference between EXPLORE.EXE and EXPLORER.EXE. The latter is a valid name. As also if your files start losing their contents. Or correspondents inform you about emails with an odd attachment.
To remove, first try and terminate services on the local machine. After doing so, delete the files which are part of the worm process as listed above. If you are unable to terminate the process using the task list (CTRL-ALT-DEL), locate and delete these files. Or you can download the Network Associates' KILLEZIP.EXE utility (http://download.nai.com/products/extrafiles/killezip.zip) to terminate the worm, detect files, delete entries from the registry and remove all traces from WIN.INI.
G Menon
[email protected]
Other Articles
ChiefChat
| GameGuide
| Mailbox
| NerdWord
| ProductPreview
| SiteScan
| Techtalk
Tips&Tweaks
| VirusWatch
| Webware