NISER > Alerts > MyCERT Advisories & Summaries > MA-017.121999: New Variant of the ExploreZip Worm
MA-017.121999: New Variant of the ExploreZip Worm
Original Issue Date: 2nd December 1999
This worm is known as the W32M/ExploreZip.worm.pak. This is a minor variant of the original W32/ExploreZip.worm whereby this edition is a compressed copy of the executable. Thus, this made the new variant undetectable to most anti-virus programs that are not been updated very recently. This variant runs compressed and is not expanded beyond its compressed form except in memory. This worm have the same characteristeric as the original variant. For detailed information, refer to http://www.mycert.mimos.my/back.htm#explorezip. Below is a brief summary on this worm.
2.0 TECHNICAL MATTERS
Machines running windows 95, 98 or NT.
Machines with file systems that are shared with read and writable access, which are exposed to infected systems.
Any mail handling system. These systems could experience performance degradation or a denial of service as a result of the propagation of this worm program.
2.2 Method of Infection
Opening an infected email attachment.
Shared folders with WRITE permission to an infected machines.
It will constantly monitor your mailbox for new mails and send itself to the sender of the mails received (Microsoft Outlook only).
The program will scan all hardrives and sharable disks from C to Z, and reset all contents of files with extensions .h, .c, .cpp, .asm, .doc, .ppt or .xls on your hardisks to null. In short, it will destroy your files.
3.0 POSSIBLE STEPS
The worm travels by sending email messages to users. The email contain an infected document with the filename "zipped_files.exe". DO NOT open this attachment. Infection will only occur once the attachment is opened. Delete the email as soon as possible. This include the copy that is sent to the Trash folder.
Change the permission on all shared folder to READ-ONLY.
3.2 Detection and Removal
Antivirus vendors worldwide have already taken the step to provide new updates for detection of this worm.
Refer to MyCERT web sites below for links to the respective sites.
Download and install the latest virus definition file.
Run a virus scan.
Below are special update file especially for detection of this worm from the respective antivirus software.
ZIPFILES.ZIP for F-Secure Anti-Virus
As of today, the followings are the sites that have detection and/or removal for this virus.
KILLEZIP.ZIP from AVERT
Refer to the MyCERT Advisory below:
4.0 MORE INFORMATION
Disclaimers and copyright information
Last Update April 19, 2001