[Home] [History] [Msg Board] [Photo Album] [Irc-Help] [Tips] [Internet Survival]
[FFALP] [Rules] [Info] [Mp3] [Links]
[Downloads] [Guestbook] [Contact] [About]
Welcome to the
Web
Site!
|
|
|
|
Worm.ExploreZip (W32.ExploreZip Worm) Worm.ExploreZip is a worm that contains a malicious payload. The worm utilizes Microsoft Outlook, Outlook Express, Exchange to mail itself out by replying to unread messages in your Inbox. The worm will also search the mapped drives and networked machines for Windows installations and copy itself to the Windows directory of the remote machine and modify the WIN.INI accordingly. The payload of the worm will destroy any file with the extension .h, .c, .cpp, .asm, .doc, .ppt, or .xls on your hard drives, any mapped drives, and any network machines that are accessible each time it is executed. This continues to occur until the worm is removed. You may receive the worm as an attachment called zipped_files.exe. When run, this executable will copy itself to your Windows System directory with the filename Explore.exe or to your Windows directory with the filename _setup.exe. The worm modifies your WIN.INI or registry such that the file Explore.exe is executed each time you start Windows The worm was first discovered in Israel and submitted to the
Symantec AntiVirus Research Center on June 6, 1999. The worm e-mails itself out as an attachment with the filename zipped_files.exe in reply to unread messages it finds in your Inbox. Once it responds to a message in your Inbox, it will mark it so it will not respond to the message again. The e-mail message sent may appear to come from a known e-mail correspondent in response to a previously sent e-mail with the appropriate subject line and contains the following text: Hi Recipient Name! The worm will continue to monitor the Inbox for new messages and respond accordingly. The worm will also search the mapped drives and networked machines for Windows installations and copy itself to the Windows directory of the remote machine and modify the WIN.INI accordingly. Once the attachment is executed, it may display the
following window:
The button displayed is the "OK" button and is dependent on the language of the infected operating system. The example above was taken from a Hebrew Windows system. The worm also copies itself to the Windows System (System32 on Windows NT) directory with the filename Explore.exe or _setup.exe and also modifies the WIN.INI file (Windows 9x) or the registry (on Windows NT) so, the program is executed each time Windows is started. You may find this file under your Windows Temporary directory or your attachments directory as well depending on the e-mail client you are using. E-mail clients will often temporarily store e-mail attachments in these directories under different temporary names. In addition, when Worm.ExploreZip is executed, it also searches through the C through Z drives of your computer system and accessible network machines for particular files. The worm selects a series of files to destroy of multiple file extensions (including .h, .c, .cpp, .asm, .doc, .xls, .ppt) by calling CreateFile( ) and making them 0 bytes long. One may notice extended hard drive activity when this occurs. This can result in non-recoverable data. This payload routine continues to happen while the worm is active on the system. Thus, any newly created files matching the extensions list will be destroyed as well. How to remove it manually ! To remove this worm manually, one should perform the following steps:
|
