The ExploreZip Worm Privacy and Legal Notice

CIAC INFORMATION BULLETIN

J-047: The ExploreZip Worm

June 11, 1999 23:00 GMT


PROBLEM:   A new worm program named zipped_files.exe spreads itself as an
           attachment to e-mail messages and destroys document files.
PLATFORM:  Windows 95, Windows 98, and Windows NT. 
           Outlook or Exchange are needed to spread.
DAMAGE:    The worm sends copies of itself to everyone
           in an e-mail inbox and destroys files with the 
           extensions: .h, .c, .cpp, .asm, .doc, .xls, and .ppt. 
SOLUTION:  Do not automatically run an attached file named 
           zipped_files.exe even if it appears to have come 
           from a friend. Update your antivirus software to 
           detect this worm.

VULNERABILITY   Severe Risk: While this worm does not appear to be
ASSESSMENT:     spreading as rapidly as the Melissa virus, the payload can 
                do severe damage to an organization by deleting all Microsoft 
                Office documents and computer program source files.

The ExploreZip Worm

Introduction

CIAC has received reports of the spread of a new worm program called ExploreZip (alias: W32/ExploreZip.worm, Worm.ExploreZip). The worm spreads in a manner similar to the W97M.Melissa virus. The worm arrives as an attachment to an e-mail message. When a user double clicks on that attachment, the worm program runs and spreads itself by sending replies to all the mail in your inbox with the worm program as an attachment. Different from the Melissa macro virus, this is a worm program in that it does not infect other programs or documents. It is also executable code instead of a macro program so the macro detection capability in Microsoft Word will not protect you from this worm. The worm has a payload that destroys Microsoft Office documents and program source code files.

As this is object code (binary) it only runs on INTEL platforms running Windows 95, Windows 98, and Windows NT. It cannot run on Macintosh or other hardware types and cannot run on earlier versions of windows or on DOS. In order to spread using e-mail, the worm needs Outlook or Microsoft Exchange. However, the payload will run and destroy files even if the program cannot spread itself via e-mail.

Worm Operation

The worm is an executable program named "zipped_files.exe" that appears to be a self extracting ZIP archive. It arrives as an attachment to an e-mail message with the following content:

     Hi !

     I received your email and I shall send you a
     reply ASAP.

     Til then, take a look at the attached zipped 
     docs.

     bye

The message appears to be a reply to one of your messages. The subject of the mail message is variable and appears to be a reply to a message from you.

When a user double clicks on the attached worm program, it puts up the following dialog box that makes the file appear to be a damaged zip archive.

wpe1.jpg (13368 bytes)

Pressing F1 does nothing and clicking OK simply closes the dialog box. If WinZip is installed on the system, it will open with the empty zip file: Zipped_files.zip, again making it appear to be a damaged zip archive.

As the worm continues executing, it searches the inbox of your mail program and sends a reply to every message it finds there, adding the message listed above and attaching the worm program file.

When it has finished sending mail, it stores a copy of itself on your system and sets that copy to be executed at system startup time. On Windows 95 and Windows 98 systems, it stores a copy of itself in:

    c:\windows\system\explore.exe 

and places the following line in the win.ini file to restart the worm every time you run Windows.

    run=C:\WINDOWS\System\Explore.exe

If your active windows directory is not C:\WINDOWS, replace C:\WINDOWS in the command and file location above with the path to your active Windows directory.

On Windows NT systems, it stores copies of itself in:

    c:\winnt\system32\explore.exe
    c:\winnt\_setup.exe

If your active Windows NT directory is not c:\winnt, replace c:\winnt in the file locations above with the path to your active Windows NT directory.

The worm then changes the value of the following registry key to "_setup.exe", which runs the _setup.exe program at startup.

    HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\ 
                                  CurrentVersion\Windows\run

After installing itself, the worm runs its payload. The payload searches your lettered hard disk drives (C: through Z:) for programming source code files with the extensions:

    .h    .c    .cpp    .asm

(C header files, C programs, C++ programs, and assembly language programs) and Microsoft Office documents with the extensions:

    .doc    .xls    .ppt

(Word documents, Excel documents, and PowerPoint documents) and changes them to a zero length file, making them nearly impossible to recover. You might be able to recover parts of a file using a disk editor but that would be a difficult and time consuming process.

Detecting An Infection

Infections with ExploreZip are easy to detect. Press Ctrl-Alt-Del and open the Task Manager as shown here. On Windows NT, press Ctrl-Alt-Del, click the Task Manager button, and then choose the Processes tab. The dialog box shown by Windows NT is slightly different from that shown here but has the same function.

Note the task named Zipped_file (Zipped_files.ex on Windows NT). This is the running worm program. To stop it, select Zipped_file (or Zipped_files.ex) and click End Task. If you have restarted your system since the infection, you will see the process Explore (_setup.exe on Windows NT) instead of Zipped_file. Again, to stop that process, select it and click End Task. Do not confuse the task Explore with the task Explorer as they are different. The Explorer task is the Windows explorer program.

Removing An Infection

The easiest way to eliminate the worm from your system is to use an updated antivirus package. However, to do it by hand, perform these steps:

  1. Press Ctrl-Alt-Del to open the task manager.
  2. Select the Zipped_file or Explore (Zipped_files.ex or _setup.exe for Windows NT) process (whichever is running) and click End Task
  3. Delete all copies of zipped_file.exe from your system. These will be in the download or attachments directory of your mail program.
  4. Delete the file c:\windows\system\explore.exe or for Windows NT, delete c:\winnt\system32\explore.exe and c:\winnt\_setup.exe.
  5. Edit c:\windows\win.ini and remove the line
            run=c:\windows\system\explore.exe
    

    Or in Windows NT, run Regedit.exe and delete the value of the key:

        HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\ 
                                      CurrentVersion\Windows\run
    

Protection

Most antivirus vendors already have detection and removal capabilities available for this worm and we expect the others to have them soon. Of the vendors that have a solution available, you may need to download it from their web pages and not depend on the automatic update features of the product. We expect the automatic update features to have this worm definition soon.

The following vendors have solutions now:

Symantec (NAV)
http://www.symantec.com/avcenter/venc/data/worm.explore.zip.html

Network Associates (McAfee)
http://vil.mcafee.com/vil/vpe10183.asp

DataFellows (F-PROT)
http://www.datafellows.com/v-descs/zipped.htm

Trend
http://www.antivirus.com/vinfo/alerts.htm

Sophos Anti-Virus
http://www.sophos.com/downloads/ide/index.html#explorez

All users are cautioned to think before double clicking on a file included as an attachment to any e-mail message, even if that message appears to come from a friend. If that attachment is a Microsoft Office document and you have macro detection turned on, then you can double click the attachment and the macro detection capability will stop the document from loading if it contains a macro program. It will then give you the choice to enable or disable the macros. Remember, disable macros unless you are expecting to receive them.

If the attachment is an executable program, scan it with your antivirus utility before running it. If it passes the antivirus scan, you might still want to reconsider running it if it comes from someone you do not know or is an unexpected delivery from someone you do know. Call the person up on the phone (don't send them e-mail) and ask him if he sent you an executable before running the file. If you send him an e-mail and he is infected with this worm, you will likely receive a reply (from the worm) saying "take a look at the attached zipped docs".

If the file is a self extracting archive, open it with the archive program (for example, WinZip) instead of running the archive itself. You can still get the files out of the archive but without running the executable part (the self extractor) of the archive file.


Thanks to Symantec and Network Associates for their early warning and analysis of this worm.



CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]