The replies look like this:
Subject: RE: subject_of_the_original_message
Hi sender_of_the_original_message !
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
If you receive a message like this, do not open zipped_files.exe.
It looks like a self-extracting WinZip file but it's not. If it
is opened, it will show a WinZip error message and then it will
send itself to more users via Outlook.
The displayed error message looks like this:
Cannot open file: it does not appear to be a valid archive.
If this file is part of a ZIP format backup set, insert the last
disk of the backup set and try again. Please press F1 for help.
The worm copies itself to two files:
It also modifies WIN.INI so one of these files gets executed
every time Windows starts. The worm works under Windows 95, 98
and NT. Under Windows NT the worm also modifies the Registry as
WIN.INI file is ignored.
The worm activates when executed, truncating files with several
extentions on local hard drive and network drives to zero bytes,
making them unusable. The following file types are affected:
.DOC - Microsoft Word documents
.XLS - Microsoft Excel spreadsheets
.PPT - Microsoft PowerPoint presentations
.ASM - Assembler source files
.CPP - C++ source files
.C - C source files
.H - C header files
Once the worm infects one machine in a corporate network, the
worm will start to look for other Windows workstations in the
network. If another user has shared directories from his machine
for others, the worm will try to infect this machine over the
This means that your machine can get infected with the
ZippedFiles worm even if you're very careful with your e-mail, do
not open attachments, or you even stop using e-mail completely.
You will not notice the infection, but your machine will start to
automatically reply to all e-mails received thereafter. The
replies contain an infected attachment and will spread the worm
further. In addition, the worm will start to overwrite files on
local and network drives.
In order to receive the worm over the company network, your
machine must be running Windows 95 or 98 and must have either the
system drive or the Windows directory shared for other users with
full access rights. The shared drive does not have to be mounted
to the infected system in order for the worm to spread, as the
worm will browse all available drive shares in the network. By
default, Windows does not share drives for use by other users,
but many users do this to give fellow workers easy access to
Under Windows 95/98 the worm uses a trick to make its
disinfection more difficult. After writing its body to two files
it modifies WIN.INI to run EXPLORE.EXE first. After reboot the
worm run from EXPLORE.EXE will again modify WIN.INI but this time
to run _SETUP.EXE. After reboot WIN.INI will be modified again to
run EXPLORE.EXE. And so forth.
|ALIAS:||I-Worm.ZippedFiles.packed, MiniZip, ExploreZip.packed, ExploreZip.pak|
On the 30th of November there appeared a packed version of
Zipped_Files worm. The size of the worm executable reduced almost
twice resulted from packing the file with NeoLite file
The first sample of this worm was received at F-Secure on
Thursday, 10th of June 11:00 GMT. The worm has been confirmed
from several countries already and it seems to be spreading
|ALIAS:||ExploreZip.packed.b, I-Worm.ZippedFiles.packed.b, MiniZip.b, ExploreZip.pak.b|
Another variant of ExploreZip.packed worm appeared in the
beginning of December 1999. This worm variant spreads itself with
an Italian message. The worm's body is compressed with a
different file compressor - APLib. The worm drops DRVSSRV.EXE or
_SAVER.SCR file and spreads itself via Outlook as
FILE_ZIPPATI.EXE unlike its earlier versions.
[Mikko Hypponen, Alexey Podrezov, F-Secure]