1.0 DESCRIPTION

1.1 Overview

This worm is known as the W32M/ExploreZip.worm.pak. This is a minor variant of the original W32/ExploreZip.worm whereby this edition is a compressed copy of the executable. Thus, this made the new variant undetectable to most anti-virus programs that are not been updated very recently. This variant runs compressed and is not expanded beyond its compressed form except in memory. This worm have the same characteristeric as the original variant. For detailed information, refer to http://www.mycert.mimos.my/back.htm#explorezip. Below is a brief summary on this worm.

2.0 TECHNICAL MATTERS

2.1 Infected System

1. Machines running windows 95, 98 or NT.

2. Machines with file systems that are shared with read and writable access, which are exposed to infected systems.

3. Any mail handling system. These systems could experience performance degradation or a denial of service as a result of the propagation of this worm program.

2.2 Method of Infection

1. Opening an infected email attachment.

2. Shared folders with WRITE permission to an infected machines.

2.3 Payload

1. It will constantly monitor your mailbox for new mails and send itself to the sender of the mails received (Microsoft Outlook only).

2. The program will scan all hardrives and sharable disks from C to Z, and reset all contents of files with extensions .h, .c, .cpp, .asm, .doc, .ppt or .xls on your hardisks to null. In short, it will destroy your files.

3.0 POSSIBLE STEPS

3.1 Precaution

1. The worm travels by sending email messages to users. The email contain an infected document with the filename "zipped_files.exe". DO NOT open this attachment. Infection will only occur once the attachment is opened. Delete the email as soon as possible. This include the copy that is sent to the Trash folder.

2. Change the permission on all shared folder to READ-ONLY.

3.2 Detection and Removal

Anti-virus users:
Antivirus vendors worldwide have already taken the step to provide new updates for detection of this worm.

1. Refer to MyCERT web sites below for links to the respective sites.
   http://www.mycert.mimos.my/anti-virus.htm

2. Download and install the latest virus definition file.

3. Run a virus scan.

Below are special update file especially for detection of this worm from the respective antivirus software.

1. ZIPFILES.ZIP for F-Secure Anti-Virus
   ftp://ftp.europe.datafellows.com/anti-virus/updates/avp/

Non-antivirus users:
As of today, the followings are the sites that have detection and/or removal for this virus.

1. KILLEZIP.ZIP from AVERT
   http://www.nai.com/asp_set/anti_virus/avert/tools.asp

Manual Removal:
Refer to the MyCERT Advisory below:
http://mycert/virus-info/remove-explore.htm

4.0 MORE INFORMATION

To obtain more information on this virus, please refer to the following site :

4.1 Network Associates
http://vil.nai.com/vil/vpe10450.asp

4.2 Symantec Antivirus Research Center
http://www.symantec.com/avcenter/venc/data/worm.explorezip.pack.html

4.3 Data Fellows Computer Virus Information Pages
http://www.datafellows.com/news/1999/19991201.htm

4.4 Trendmicro
http://www.symantec.com/avcenter/venc/data/worm.explorezip.pack.html

4.5 Command Software
http://www.commandcom.com/html/virus/explorpac.html

4.6 Kaspersky Lab
http://www.avp.ch/