_________ SWAT MAGAZINE ISSUE NINETEEN: JULY 1999 __________ / \___________________________________________/ \ / The ExploreZip Worm \ / By Netw0rk Bug \ ----------------------------------------------------------------------- [Netw0rk told me to mention that he got this from a mailing list] A new Worm called "The ExploreZip" Worm, is spreading via e-mail attachments (similar to the infamous Melissa Virus). This worm has already infected Microsoft, Intel and many others, causing considerable slow-down (and in some an actual Denial-of-Service) of mail servers and network resources. This new Worm/Trojan spreads via e-mail messages that contain the text: Hi [youname]! I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. Bye. A file called zipped_files.exe is attached to this message, and when ran, the following message is displayed: Cannot open file: it does not appear to be a valid archive. However, the worm will copy itself to the windows system directory (Windows\system on Windows 95/98, or Winnt\system32 or Windows NT) with the filename Explore.exe or _setup.exe. A new entry in the WIN.INI file (Windows 95/98) or the Registry (Windows NT) will be added, so the worm is executed when Windows starts. In normal operation, the worm will look in the e-mail client's inbox directory, and whenever an unread message is found, the message is replied with the above e-mail (this is the way the worm spreads). This worm is destructive: While active, it searches the entire hard-drive for all .h, .c, .cpp, .asm, .doc, .xls and ppt files (this includes Word documents, Excel worksheets, PowerPoint slides, source code files, etc). Whenever a file with that extension is found, its content is deleted, and a zero sized file is left (making restoration of the original file extremely difficult). How to remove it from your system Under Windows '95/98, locate the following line in your WIN.INI: run=C:\WINDOWS\SYSTEM\Explore.exe or run=C:\WINDOWS\SYSTEM\_setup.exe and remove it. Under Windows NT: Locate the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run and delete references to Explore.exe or _setup.exe Now delete the file Explore.exe or _setup.exe from your windows system directory. If the file is currently in use (this means the worm is currently active), reboot first.