Worm.ExploreZip

 
Worm.ExploreZip (also known as TROJ_ExploreZip) is a malicious worm virus that arrives as a file attachment to an e-mail note and, if it is opened (executed), (1) automatically remails itself to the senders of notes still in your inbox and (2) destroys vital operating system files that you may not be able to recover. First reported on June 6, 1999, the Worm.ExploreZip virus has caused apprehension in corporations and among private users since its potential for damage and loss of time exceeds that of Melissa and other well-publicized viruses that replicate as spam but do not damage files.

What It Looks Like

The Worm.ExploreZip worm arrives in an e-mail inbox as a note that may contain this message: 
Hi [Recipient Name]!
I received your email and I shall send you a
reply ASAP.
Till then, take a look at the attached zipped
docs.
bye

Note that this message seems to look like a response to some earlier note you sent and it misleadingly tells you that the attachment contains zipped documents. The attachment has the name "zipped_files.exe". If you open it [but DON'T open it!] (by clicking or double-clicking on it), the attachment (which is a program, indicated by the ".exe" for executable) will execute. You may see an error message in a popup window that tells you that the system cannot open the file because it doesn't contain an archive (zipped file).

What It Does

1) Worm.ExploreZip uses Microsoft Outlook, Outlook Express, and Microsoft Exchange and the Microsoft Messaging Application Program Interface (MAPI) to remail itself to anyone who has sent you a note that is still in your inbox and unread. As long as Worm.ExploreZip is in your system, it will continually send itself (note and attachment) to anyone whose mail has arrived and is still unread. This, of course, would simply be a nuisance if none of the recipients ever opened the attachment (but undoubtedly some will!).

2) Whether or not the system has the Microsoft e-mail programs, Worm.ExploreZip also contains a payload, code that destroys part of your system as soon as the file is opened. Specifically, the worm destroys any file on your hard drive or mapped drive with the extensions of .h, .c, .cpp, .asm, .doc, .ppt, and .xl. It does this by setting the number of bytes in each file to 0. It installs itself in the Windows system directory with the file name "Explore.exe" or your Windows directory with the file "_setup.exe". The worm also modifies the WIN.INI file or registry that contains your system's initialization values so that Explore.exe is executed every time you start Windows.

What To Do If You Receive It or Are Infected

If you receive Worm.ExploreZip, in addition to not clicking on the attachment, delete the note and then empty your deleted mail folder.

If you or someone has clicked on Worm.ExploreZip and your computer is infected, there are procedures for removing it and, in some cases, for recovering your lost files. See Symantec or another anti-virus software help center for detailed instructions.

Selected Links

Symantec's Antivirus Research Center provides Symantec's explanation of and what to do about Worm.ExploreZip.

There is also Trend Micro's information about Worm.ExploreZip.

ZDNet covered it with a story, ExploreZip Spreads Around the Globe.

Created on June 11, 1999.

Copyright © 1996-2000 TechTarget.com, Inc. All rights reserved.