1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. ExploreZip.E

ExploreZip.E

ALIAS:ZippedFiles, I-Worm.ZippedFiles, Zipped_Files
ALIAS:ExploreZip_N, W32/ExploreZip.E, WORM_EXPLORZIP.M

Summary

On January 8th, 2003 a new variant of ExploreZip worm was found in the wild.

Explorezip.E is functionally similar to the variant that was widely spread in 1999. The main difference seems to be that the virus code has been repacked to make it undetectable to current scanners.

For more information on the old ExploreZip case, see: http://www.f-secure.com/v-descs/zipped.shtml

The Global ExploreZip Worm Information Center:

http://www.f-secure.com/zipped/

Additional Details

The worm is written in Delphi and is compressed with UPX file compressor. The packed file size is 91048 bytes, the unpacked file size is over 230 kilobytes.

When the worm is run for the first time, it displays a fake error message: 

 Error


 Cannot open file: it does not appear to be a valid archive.
 If this file is part of a ZIP format backup set, insert the
 last disk of the backup set and try again. Please press F1 for help.



Then the worm copies itself as 'zipped_files.zip' file to the root folder of C: drive, opens this file with a default ZIP file viewer and then deletes the file. When a WinZip is installed on an infected system, it is started but because the worm deletes its file just after it tries to open it, WinZip shows that the 'zipped_files.zip' archive contents are empty.

Then the worm installs itself to system. It copies itself as 'Explore.exe' to Windows System directory. It modifies WIN.INI file by putting its execution string after RUN= variable. This is done to make the worm's file during every Windows session. On NT-based system the worm adds its execution string to the Registry. On NT-based systems the worm can also install itself as '_setup.exe' in Windows directory, but this copy it not activated.

To spread itself in e-mail, the worm connects to an infected user's e-mail client using MAPI interface, reads unanswered e-mail messages and 'answers' them by sending itself to the original senders. The infected message looks like that:

Subject: 
 RE: <the subject of the original message>

Body: 
 Hi ! I received your email and I shall send you a reply ASAP.
 Till then, take a look at the attached zipped docs. bye.

Attachment: 
 zipped_files.exe

The worm can alter the message body by adding a recipient's name after 'Hi' string. It can also add 'Sincerely' string followed by a sender's name in the end of message body. In this case the worm does not add 'bye.' to the end of the message body.

The worm does not use Iframe trick to make its attachment run automatically on a target system, so it's spreading is limited. However, the social engineering used by the worm can trick many people to run the attached worm's file.

The worm can infect computers over a local network. The worm looks for computers that share resources with an infected system and if it finds such a computer, it looks for Windows folder there. If it is found, the worm copies itself as '_setup.exe' file to a remote computer and modifies WIN.INI file there. As a result a remote computer will be infected with the worm when it's restarted. But only Windows 9x systems are vulnerable as WIN.INI file is not used to start programs on Windows NT-based systems.

The worm has a dangerous payload. It is constantly looking for the files with the below listed extensions on all available drives: 

 .DOC - Microsoft Word documents
 .XLS - Microsoft Excel spreadsheets
 .PPT - Microsoft PowerPoint presentations
 .ASM - Assembler source files
 .CPP - C++ source files
   .C - C source files
   .H - C header files

When the worm finds a file with one of those extensions, it overwrites it and then zeroes its length, so recovery becomes impossible.

Manual Disinfection

If ExploreZip worm is in a network environment, the whole network should be taken down to stop the worm's infecting attempts. Then all workstations should be disinfected separately. Only after every single workstation is clean, network connections can be re-enabled. The reason for such drastic measures is the following - the worm is a very fast infector. A single infected workstation can re-infect the whole network in a few minutes.

The second step is killing worm's processes in memory. To kill worm's processes, open Task Manager and kill processes with the following names: 

 zipped_files.exe
 Explore.exe
 _setup.exe

Note that the worm's task is Explore.exe, do not confuse it with the main Windows component Explorer.exe!

After that the following files need to be deleted from a hard drive: 

 %windir%\_setup.exe
 %winsysdir%\Explore.exe

where %windir% is Windows directory and %winsysdir% is Windows System directory.

The final step is removing worm's execution string from WIN.INI file on Windows 9x systems and from the Registry on Windows NT-based systems. This is done to get rid of annoying Windows messages about missing files.

Windows 9x systems: open WIN.INI file located in Windows directory in any text editor and remove the worm's execution string after RUN= variable. It is advised to make a backup copy of your WIN.INI file before editing.

Windows NT-based systems: open Registry Editor, locate the following key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]

Then delete 'run' variable in the above mentioned key. Please note that editing System Registry is not a simple task and this operation is not advised for inexperienced users.

Detection

Detection in F-Secure Anti-Virus was published on January 8th, 2003 in update:

[FSAV_Database_Version]
Version=2003-01-08_04

[Analysis: A. Podrezov, K. Tocheva, M. Hypponen; F-Secure Corp.; January 8th, 2003]