For more information, see Global ZippedFiles Worm Information Center at http://www.f-secure.com/zipped/
The ZippedFiles (aka 'ExploreZip') is a Melissa-like e-mail worm. But unlike Melissa the Zipped_Files worm has a nasty payload. The way of spreading itself via e-mail is also different. The worm analyses messages received by Microsoft Outlook and sends automatic replies to their senders.
Disinfection & Removal
The replies look like this:
From: user_of_the_PC Subject: RE: subject_of_the_original_message To: sender_of_the_original_message Hi sender_of_the_original_message ! I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. Sincerely user_of_the_pc Attachment: zipped_files.exe
If you receive a message like this, do not open zipped_files.exe. It looks like a self-extracting WinZip file but it's not. If it is opened, it will show a WinZip error message and then it will send itself to more users via Outlook.
The displayed error message looks like this:
Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help.
The worm copies itself to two files:
It also modifies WIN.INI so one of these files gets executed every time Windows starts. The worm works under Windows 95, 98 and NT. Under Windows NT the worm also modifies the Registry as WIN.INI file is ignored.
The worm activates when executed, truncating files with several extentions on local hard drive and network drives to zero bytes, making them unusable. The following file types are affected:
.DOC - Microsoft Word documents .XLS - Microsoft Excel spreadsheets .PPT - Microsoft PowerPoint presentations .ASM - Assembler source files .CPP - C++ source files .C - C source files .H - C header files
Once the worm infects one machine in a corporate network, the worm will start to look for other Windows workstations in the network. If another user has shared directories from his machine for others, the worm will try to infect this machine over the network.
This means that your machine can get infected with the ZippedFiles worm even if you're very careful with your e-mail, do not open attachments, or you even stop using e-mail completely. You will not notice the infection, but your machine will start to automatically reply to all e-mails received thereafter. The replies contain an infected attachment and will spread the worm further. In addition, the worm will start to overwrite files on local and network drives.
In order to receive the worm over the company network, your machine must be running Windows 95 or 98 and must have either the system drive or the Windows directory shared for other users with full access rights. The shared drive does not have to be mounted to the infected system in order for the worm to spread, as the worm will browse all available drive shares in the network. By default, Windows does not share drives for use by other users, but many users do this to give fellow workers easy access to their files.
Under Windows 95/98 the worm uses a trick to make its disinfection more difficult. After writing its body to two files it modifies WIN.INI to run EXPLORE.EXE first. After reboot the worm run from EXPLORE.EXE will again modify WIN.INI but this time to run _SETUP.EXE. After reboot WIN.INI will be modified again to run EXPLORE.EXE. And so forth.
Variant:Zipped_Files.pak (I-Worm.ZippedFiles.packed, MiniZip, ExploreZip.packed, ExploreZip.pak)
On the 30th of November there appeared a packed version of Zipped_Files worm. The size of the worm executable reduced almost twice resulted from packing the file with NeoLite file compressor.
The first sample of this worm was received at F-Secure on Thursday, 10th of June 11:00 GMT. The worm has been confirmed from several countries already and it seems to be spreading further fast.
Variant:Zipped_Files.pak.b (ExploreZip.packed.b, I-Worm.ZippedFiles.packed.b, MiniZip.b, ExploreZip.pak.b)
Another variant of ExploreZip.packed worm appeared in the beginning of December 1999. This worm variant spreads itself with an Italian message. The worm's body is compressed with a different file compressor - APLib. The worm drops DRVSSRV.EXE or _SAVER.SCR file and spreads itself via Outlook as FILE_ZIPPATI.EXE unlike its earlier versions.
[Mikko Hypponen, Alexey Podrezov, F-Secure]