|
W32/ExploreZip.worm.pak
aka
ZIPPED_FILES.EXE, W32.ExploreZip,
Worm.ExploreZip, 32/ExploreZip.worm.pak, W32/ExplorezipB, ZIPPED_FILES.EXE
|
This is a 32bit Worm that travels by sending email messages to users. It drops the file explore.exe and modifies either the WIN.INI (Win9x) or modifies the registry (WinNT). This worm attempts to invoke the MAPI aware email applications as in MS Outlook, MS Outlook Express and MS Exchange. This worm replies to messages received by sending an an email message with the following body: Hi <Name Of Recipient> I have
received your email and I shall send you a reply ASAP. Till then
take a look at the attached
-OR- "I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. " The subject line is not constant as the message is a reply to a message sent to the infected user. The worm (named "zipped_files.exe" as the attachment, with a file size of 120,495 bytes (with compression). The file has a Winzip icon which is designed to fool unsuspecting users to run it as a self-extracting file. User who run this attachment will be presented with a fake error message that says: "Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help." This worm has a payload. Immediately after execution it will search all local drives for the following files types .c, .cpp, .h, .asm, .doc, .xls, or .ppt. When found, they are opened for write and immediately closed leaving them with a zero byte count. Approximately 30 minutes after infection this process is repeated. This worm will locate systems drives which
are NOT mapped drives using functions from MPR.DLL and Network Neighborhood!
On these systems, the WIN.INI is modified with a run statement to
load a file called _SETUP.EXE from the Windows path, and the file
_SETUP.EXE is copied to the Windows path.
These files with zero bytes are unrecoverable!
W32/ExploreZip worm removal under Windows 95/98 1. Remove the line "run = c:\windows\system\explore.exe"
from
2. Remove any instances of the worm as identified by Sweep. 3. Restart the machine, as the worm may
still be an active task.
W32/ExploreZip worm removal under Windows NT 1. Remove the registry entry:
This will refer to "\WINNT\SYSTEM32\EXPLORE.EXE" 2. Delete the file EXPLORE.EXE from
the "\WINNT\SYSTEM32" directory
W32/ExploreZip searches all accessible network drives for other installations of Windows 95/98. The worm will install a file called _SETUP.EXE and make a change to WIN.INI so that is run next time the remote copy of Windows 95/98 is started. If installations of Windows NT are found during the search of network drives W32/ExploreZip will install the _SETUP.EXE file and make the change to WIN.INI, but the file will not be run when the Windows NT machine is restarted. _SETUP.EXE would need to be run manually on the remote machine to apply its registry changes and become active. If remote Windows installations are affected in this way you should delete the _SETUP.EXE and adjust the WIN.INI and registry accordingly |
||||||||
|
[an error occurred while processing this directive] |
Howdy!!! Welcome to the McCann's PooR Farm I'm not with any school or schools, Just a disable grandpa with 17 grand kids, 1 Great grand Kid Sorry! about all of the adds, Our Cost just keeping going up. Please click on one of them and help us out. or Send $1.00 U.S. to: McCann's Poor Farm 20509 Lawrence 2207 Aurora, Mo. 65605-7275 Thank You, Junior McCann Webmaster and the GrandKids See what the experts have to say about the McCann's Poor Farm Web Page Legal Disclaimer - We Are in no way connected with any School and or Companies linked to this page. Links are provided as a courtesy only. |
Argentina, Australia, Austria, Belarus, Belgium, Bermuda, Brazil, Brunei Darussalam, Bulgaria, Canada, Chile, Columbia, Costa Rica, Croatia, Croatia/Hrvatska, Czech Republic, Denmark, Dominican Republic, Ecuador, Egypt, Estonia, Finland, France, Germany, Ghana, Greece, Hong Kong, Hungary, Iceland, India, Indonesia, Ireland, Israel, Italy, Japan, Jordan, Korea, Korea, Republic of, Latvia, Lebanon, Lithuania, Luxembourg, Macedonia, Malaysia, Mexico, Moldova, Netherlands, New Calendonia, New Zealand, Norway, Old style Arpanet, Papua New Guinea, Peru, Philippines, Poland, Portugal, Romania, Russian Federation, Saudi Arabia, Singapore, Slovakia, Slovenia, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, Thailand, Turkey, Uganda, Ukraine, United Arab Emirates, United Kingdom, United States, Uruguay, USA Government, USA Military, Viet Nam |
Tell A Friend about this Page |
Tell me when this page is updated |
|
Put a Link on your Web Page
- Legal Disclaimer - |