Threat Description

Zipped_Files

Details

Aliases:Zipped_Files, ExploreZip, ZippedFiles, I-Worm.ZippedFiles
Category: Malware
Type:
Platform: W32

Summary



For more information, see Global ZippedFiles Worm Information Center at http://www.f-secure.com/zipped/

The ZippedFiles (aka 'ExploreZip') is a Melissa-like e-mail worm. But unlike Melissa the Zipped_Files worm has a nasty payload. The way of spreading itself via e-mail is also different. The worm analyses messages received by Microsoft Outlook and sends automatic replies to their senders.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



The replies look like this:

From: user_of_the_PC
  Subject: RE: subject_of_the_original_message
  To: sender_of_the_original_message
  Hi sender_of_the_original_message !
  I received your email and I shall send you a reply ASAP.
  Till then, take a look at the attached zipped docs.
  Sincerely
  user_of_the_pc
  Attachment: zipped_files.exe

If you receive a message like this, do not open zipped_files.exe. It looks like a self-extracting WinZip file but it's not. If it is opened, it will show a WinZip error message and then it will send itself to more users via Outlook.

The displayed error message looks like this:

Cannot open file: it does not appear to be a valid archive.
  If this file is part of a ZIP format backup set, insert the last
  disk of the backup set and try again. Please press F1 for help.

The worm copies itself to two files:

\WINDOWS\_SETUP.EXE
  \WINDOWS\SYSTEM\EXPLORE.EXE

It also modifies WIN.INI so one of these files gets executed every time Windows starts. The worm works under Windows 95, 98 and NT. Under Windows NT the worm also modifies the Registry as WIN.INI file is ignored.

The worm activates when executed, truncating files with several extentions on local hard drive and network drives to zero bytes, making them unusable. The following file types are affected:

.DOC - Microsoft Word documents
 .XLS - Microsoft Excel spreadsheets
 .PPT - Microsoft PowerPoint presentations
 .ASM - Assembler source files
 .CPP - C++ source files
.C - C source files
.H - C header files

Once the worm infects one machine in a corporate network, the worm will start to look for other Windows workstations in the network. If another user has shared directories from his machine for others, the worm will try to infect this machine over the network.

This means that your machine can get infected with the ZippedFiles worm even if you're very careful with your e-mail, do not open attachments, or you even stop using e-mail completely. You will not notice the infection, but your machine will start to automatically reply to all e-mails received thereafter. The replies contain an infected attachment and will spread the worm further. In addition, the worm will start to overwrite files on local and network drives.

In order to receive the worm over the company network, your machine must be running Windows 95 or 98 and must have either the system drive or the Windows directory shared for other users with full access rights. The shared drive does not have to be mounted to the infected system in order for the worm to spread, as the worm will browse all available drive shares in the network. By default, Windows does not share drives for use by other users, but many users do this to give fellow workers easy access to their files.

Under Windows 95/98 the worm uses a trick to make its disinfection more difficult. After writing its body to two files it modifies WIN.INI to run EXPLORE.EXE first. After reboot the worm run from EXPLORE.EXE will again modify WIN.INI but this time to run _SETUP.EXE. After reboot WIN.INI will be modified again to run EXPLORE.EXE. And so forth.


Variant:Zipped_Files.pak (I-Worm.ZippedFiles.packed, MiniZip, ExploreZip.packed, ExploreZip.pak)

Size:120495

On the 30th of November there appeared a packed version of Zipped_Files worm. The size of the worm executable reduced almost twice resulted from packing the file with NeoLite file compressor.

The first sample of this worm was received at F-Secure on Thursday, 10th of June 11:00 GMT. The worm has been confirmed from several countries already and it seems to be spreading further fast.


Variant:Zipped_Files.pak.b (ExploreZip.packed.b, I-Worm.ZippedFiles.packed.b, MiniZip.b, ExploreZip.pak.b)

Size:137321

Another variant of ExploreZip.packed worm appeared in the beginning of December 1999. This worm variant spreads itself with an Italian message. The worm's body is compressed with a different file compressor - APLib. The worm drops DRVSSRV.EXE or _SAVER.SCR file and spreads itself via Outlook as FILE_ZIPPATI.EXE unlike its earlier versions.

[Mikko Hypponen, Alexey Podrezov, F-Secure]






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More