W32/ExploreZip.N

Panda Virus Encyclopedia - ExplorezipN


Common name: ExplorezipN
Technical name: W32/ExploreZip.N
Threat level: Very low
Type: Worm
Effects: It modifies files with DOC, XLS, CPP, C, H and ASM extensions, rendering them useless.
Systems affected: Windows XP/2000 Pro/NT/Me/98/95
First appeared on: Jan. 08, 2003
In circulation? No

Brief Description

ExploreZip.N is a worm that reaches computers in an e-mail message with the following attachment: ZIPPED_FILES.EXE. It mails itself out to all the entries found in Outlook's Address Book. To do this, it attaches itself to all the messages marked as unread in the Inbox, and proceeds to send reply messages to all of them.

The effects of ExploreZip.N consist of changing certain files, truncating them to 0 Bytes. Affected files will have the following extensions: DOC, XLS, CPP, C, H and ASM.


Visible Symptoms

ExploreZip.N reaches computers in an e-mail message with the following characteristics:

• Message:
  
  Hi !
  
  I recevied your email and I shall send you a reply ASAP.
  Till then, take a look at the attached zipped docs.
  Sincerely.
  
  Goat
  
• Attachments:
  
  ZIPPED_FILES.EXE
  
  
• When it carries out its infection, ExploreZip.N displays the following image on the screen:
  
  http://www.pandasoftware.com/img/enc/ExploreZip_img1.GIF
  
  Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help

Effects

The main effect of the ExploreZip.N worm is consist of deleting the contents of files with the following extensions: DOC, XLS, C, CPP, H and ASM.


Means of infection

In order to carry out its infection, ExploreZip.N creates the following files in the Windows system directory:

• EXPLORE in the Windows system folder.
• _SETUP.EXE in the Windows folder.

Then, it modifies the WIN.INI file in order to load itself at startup.

ExploreZip.N creates the following entry in the Windows Registry:

HKEY_CURRENT_USER\ Software\ Microsoft\ WindowsNT\ CurrentVersion \ Windows with the key\ value "run c:\ winnt\ system32\ Explore.exe"

This Registry key will only be modified on Windows NT systems.

In addition, in Windows 98/95 the worm uses some specific techniques to make it more difficult to disinfect.


Means of transmission

ExploreZip.N spreads rapidly, using e-mail as follows:

It reaches computers in an message with the following characteristics:

• Subject: It varies on each occasion.
  
• Message:
  
  Hi !
  
  I recevied your email and I shall send you a reply ASAP.
  Till then, take a look at the attached zipped docs.
  Sincerely.
  
  Goat
  
• Attachments:
  
  ZIPPED_FILES.EXE
  
  When the attachment is run, is creates a new e-mail reply message for each of the unread messages found in the Inbox. This is the reason why the sender and subject of the messages will be different on each occasion.
  
  In addition, if ExploreZip.N is run on systems connected to a network, the worm takes advantage of this to spread to other computers connected to it.
  
  
  Other Details
  
  ExploreZip.N (91,048 Bytes) is compressed with UPX.
  
  Is my computer infected by ExplorezipN?
  
  In order to make absolutely sure that ExploreZip.N has not infected your computer, you have the following options:
  
  A. Carry out a full scan of your computer using Panda Antivirus, after checking that it is updated. If it isn't and you are a registered Panda Software client, update it by clicking here.
  
  B. Check the computer with Panda ActiveScan, Panda Software's free, online scanner, which will quickly detect any possible viruses.
  
  
  How to remove ExplorezipN
  
  If your Panda antivirus or Panda ActiveScan detects ExploreZip.N during the scan, it will automaticallyoffer you the option of deleting it. Do this by following the program's instructions.
  
  Additional notes:
  
  
  • It is particularly important to scan all e-mail folders and all files received.
    
  • If your computer has Windows Millennium or Windows XP installed, click here to permanently remove all trace of the virus.
  
  
  How to protect your computer from ExplorezipN
  
  In order to keep your computer protected, bear the following tips in mind:
  
  • Install a good antivirus in your computer. Click here to get the Panda antivirus solution that best suits your needs.
    
  • Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
    
  • Keep your permanent antivirus protection enabled at all times.
  
  For more detailed information about how to protect your computer against viruses, click here.

 

> Panda Virus Encyclopedia - ExplorezipN

> First appeared on: Jan. 08, 2003

Hmmmmm ..... about.com reported it as first appearing on 08 January too.

NOD32 added detection on 07 January. (My time ... I'm a day ahead of the USA.)

> In circulation? No

Doin't bet your bippy on that!

 

Sophos: W32/ExploreZi-N

Sophos Virus Analysis: W32/ExploreZi-N

Type
Win32 worm


Detection
A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the February 2003 (3.66) release of Sophos Anti-Virus.

At the time of writing Sophos has received just one report of this worm from the wild.


Description
W32/ExploreZi-N is an email worm which uses Microsoft Outlook to distribute multiple copies of itself. Other MAPI compliant browsers may also propagate the worm. Machines not running Outlook can still be infected with W32/ExploreZi-N.

If you run the worm when Outlook is active, it mails a copy of itself in reply to all unread mail in your inbox in a message containing the text:

Hi <Name Of Recipient> I have received your email and I shall send you a reply ASAP. Till then take a look at the attached zipped docs. bye.

A file called ZIPPED_FILES.EXE is attached, and contains the worm.

If the recipient double-clicks on the attachment, the worm is triggered on their computer. As a disguise, it displays the message: "Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help."

The worm then copies itself into the system directory under the name EXPLORE.EXE, and modifies the WIN.INI file so that the infected file runs every time Windows is started.

As an additional warhead, W32/ExploreZi-N reduces to zero length files of extension ASM, CPP, DOC, XLS, C, H and PPT in any accessible drive.


Recovery
W32/ExploreZi-N worm removal under Windows 95/98
Remove the line "run = c:\windows\system\explore.exe" from "\windows\win.ini".
Remove any instances of the worm as identified by Sweep.

Restart the machine, as the worm may still be an active task. (You may need to close any such active tasks first).

W32/ExploreZi-N worm removal under Windows NT
Remove the registry entry:
HCU\Software\Microsoft\WindowsNT\
CurrentVersion\Windows\run

This will refer to "\WINNT\SYSTEM32\EXPLORE.EXE".

Delete the file EXPLORE.EXE from the "\WINNT\SYSTEM32 directory You may need to enter Windows NT Task Manager, choose the "Processes" tab, and select "End Process" for any instance of EXPLORE.EXE.

Furthermore, W32/ExploreZi-N searches all accessible network drives for other installations of Windows 95/98. The worm will install a file called _SETUP.EXE and make a change to WIN.INI so that is run next time the remote copy of Windows 95/98 is started.

If installations of Windows NT are found during the search of network drives W32/ExploreZi-N will install the _SETUP.EXE file and make the change to WIN.INI, but the file will not be run when the Windows NT machine is restarted. _SETUP.EXE would need to be run manually on the remote machine to apply its registry changes and become active.

If remote Windows installations are affected in this way you should delete the _SETUP.EXE and adjust the WIN.INI and registry accordingly.

 

I don't think NAV has detection yet (1/8/02), unless it's in the beta defs.

 

Trend: WORM_EXPLORZIP.M

Trend Micro - WORM_EXPLORZIP.M

Virus type: Worm
Destructive: Yes
Pattern file needed: 433
Scan engine needed: 5.200

Description:

This slightly modified variant of WORM_EXPLOREZIP is a destructive, memory-resident worm that propagates by replying to all unread email messages in Microsoft Outlook, Microsoft Outlook Express, and other MAPI-enabled email clients and then attaching a copy of itself as ZIPPED_FILES.EXE in the said email.

The email that it sends out has the same subject as the original but with the string “RE:” in the beginning.

It sends email with the following details:

Subject: RE: <Original Subject>
Message Body: Hi!
I received your email and I shall send you a reply ASAP.Till then, take a look at the attached zipped docs.Sincerely
Attachment: zipped_files.exe

This worm, which runs on Windows 95, 98, ME, NT, 2000, and XP, contains a destructive routine that empties all files with the following extensions:

• C
• CPP
• H
• ASM
• DOC
• XLS
• PPT

Solution:


Identifying the Malware Program

Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_EXPLORZIP.M. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier as WORM_EXPLORZIP.M.

• 
  1. Open Windows Task Manager.
  On Windows 9x/Millenium systems, press
  CTRL+ALT+DELETE
  On Windows NT/2000/XP systems, press
  CTRL+SHIFT+ESC, and click the Processes tab.
  2. In the list of running programs, locate the malware file or files detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

Removing Autostart Entries from System Files

A malware may modify system files so that it automatically executes at every Windows startup. These startup entries must be removed before the system can be restarted safely.

• 
  1. Open System Configuration Editor. To do this, click Start>Run, type SYSEDIT, then press Enter.
  2. In System Configuration Editor, select the WIN.INI window.
  3. Under the [windows] section, locate the lines that begin with:
  run =
  4. From the same lines, delete the malware path and filename:
  %System%\explore.exe
  *where %System% refers to the Windows system directory which is usually C:\Windows\System or C:\Winnt\System32.
  5. Close System Configuration Editor and click Yes when prompted to save.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_EXPLORZIP.M. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.

Further Technical Details: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_EXPLORZIP.M&VSect=T

Arrival and Installation

This variant of WORM_EXPLOREZIP uses an icon similar to that of a Winzip file in an attempt to conceal its malicious nature. Upon execution, it displays a fake error message box containing the following text strings:

Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help.

It then creates a temporary file named ZIPPED_FILES.ZIP, opens it using the WinZip utility, and then deletes it after the user closes the WinZip window.

It also drops a copy of itself in the Windows system folder as EXPLORE.EXE, a UPX-compressed program written in Delphi.

Autostart Techniques

This worm modifies the configuration file, WIN.INI, by creating an autorun entry to enable its automatic execution every Windows startup. The modified WIN.INI file appears as follows:

[windows]
run=%System%\explore.exe

*where %System% refers to the Windows system directory which is usually C:\Windows\System or C:\Winnt\System32.

Propagation

Before it propagates on Win32 platforms, this worm first checks for the Windows Messaging Subsystem found in the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\
Windows Messaging Subsystem

On 16-bit platforms like Windows 3.x, it gathers this information from the WIN.INI file.

If any of these are NOT found, this worm does not proceed with its propagation routine. Otherwise, it continues with the following routine:

It propagates by sending copies of itself via email using Microsoft Messaging API (MAPI32) as the attachment ZIPPED_FILES.EXE. It does this by replying to all unread email messages in MAPI based email clients.

 

McAfee: W32/ExploreZip.worm@M

McAfee Security - W32/ExploreZip.worm@M

Name: W32/ExploreZip.worm@M
Risk Assessment
- Home Users: Low-Profiled
- Corporate Users: Low-Profiled
Date Discovered: 6/9/1999
Date Added: 9/7/1999
Origin: N/A
Length: 210,432 bytes
Type: Virus
SubType: Win32
DAT Required: 4030

Virus Characteristics

-- Update January 8, 2003 --
A repackaged version of this worm was discovered in the wild. The file size of the executable is 91,048 bytes. Detection is included in the 4241 DAT release. This threat is considered to be Low-Profiled due to the About.com article Variant of ExploreZip Discovered

This is a 32bit Worm that travels by sending email messages to users. It drops the file explore.exe and modifies either the WIN.INI (Windows 9x/Millenium) or modifies the registry (Windows NT/2K/XP).

This worm attempts to invoke the MAPI aware email applications as in MS Outlook, MS Outlook Express and MS Exchange. This worm replies to messages received by sending an an email message with the following body:

"I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs. "

The subject line is not constant as the message is a reply to a message sent to the infected user. The worm (named "zipped_files.exe" as the attachment, with a file size of 210,432 bytes. The file has a Winzip icon which is designed to fool unsuspecting users to run it as a self-extracting file. User who run this attachment will be presented with a fake error message that says:

"Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help."


Payload Notice

This worm has a payload. Immediately after execution it will search all local drives for the following files types .c, .cpp, .h, .asm, .doc, .xls, or .ppt. When found, they are opened for write and immediately closed leaving them with a zero byte count. Approximately 30 minutes after infection this process is repeated. Files that have been affected by this payload will need to be restored from backup. Repair is not possible.

This worm will locate systems drives which are NOT mapped drives using functions from MPR.DLL and Network Neighborhood! On these systems, the WIN.INI is modified with a run statement to load a file called _SETUP.EXE from the Windows path, and the file _SETUP.EXE is copied to the Windows path. These systems will become infected when restarted. This worm will only try to such systems once, whereas systems which are mapped drives are constantly attempted to re-infect. Secondly, a machine infected via another share will switch between _setup and explore per reboot.


Indications Of Infection

Existence of any of the 3 file names mentioned above [note EXPLORER.EXE is a valid name - do not confuse this name]. Process running as mentioned above, files being corrupted / deleted as mentioned above.


Method Of Infection

Running the file will directly infect the local system by installing itself and running memory resident, then it will use browsing of the network to locate available shares.


Removal Instructions

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Alternatively, manual removal is possible using the instructions below.

Terminating the service running at the local machine is the first thing that should be done. After the process is terminated, delete the files which are part of the worm process as listed above. If you are unable to terminate the process using the task list (CTRL-ALT-DEL), use the steps below to manually edit your configuration file on Windows 9x systems.

Windows 95/98/Millenium
1. Run the System Configuration Editor
2. Select the Start menu from your desktop and Run SYSEDIT.EXE
3. Select the C:\WINDOWS\WIN.INI window.
4. In the line run =, remove listings that match either of these

run=C:\WINDOWS\SYSTEM\EXPLORE.EXE
run=C:\WINDOWS\_SETUP.EXE

5. Select File > Save, then Exit.
6. Select the Start menu and Shutdown -
7. Choose Restart the computer in MS-DOS mode and click YES (This action purges EXPLORE.EXE from system memory.)
8. Once your PC is in DOS, type EXIT to return to Windows. (This action reloads Windows without EXPLORE.EXE in memory.)
9. In Windows, remove the file, EXPLORE.EXE, from your system
10. Click Start > Find > Files or Folders
11. In the Find: All Files dialog box, type EXPLORE.EXE in the Name field
12. Click Find Now
13. Delete EXPLORE.EXE
14. Repeat step 10 through 13 for both _SETUP.EXE and ZIPPED_FILES.EXE

Windows NT/2K/XP

In Windows NT, this worm will run as a process by one of the following names - explore, zipped_f, zipped_files or _setup in WinNT Task Manager. You can experience high CPU utilization when the process is running. End process names which match, noting that explorer is the default Windows shell and is a valid task!

1. Run the WinNT Registry Editor - Click Start > Run > Open REGEDIT (not REGEDT32).
2. Locate the hive [HKEY_CURRENT_USER\Software\Microsoft\
WindowsNT\CurrentVersion\Windows].
3. Highlight the following key

run=C:\WINNT\System32\Explore.exe

and remove by pressing the Delete button.
4. Edit WIN.INI and remove either of these lines if they exist

run=c:\winnt\system32\explore.exe
run=c:\winnt\_setup.exe

5.Restart Windows NT - Click Start > Shutdown. Select Restart and click OK. (Your system will now reboot.)
6. Remove the file, EXPLORE.EXE, from your system
7. Click Start > Find > Files or Folders
8. In the Find: All Files dialog box, type EXPLORE.EXE in the (Named) field
9. Click Find Now - delete EXPLORE.EXE
10. Repeat Step 6 through 9 for _SETUP.EXE and ZIPPED_FILES.EXE.


Aliases

I-Worm.ExploreZip, I-Worm/ExploreZip.F, TROJ_EXPLOREZIP, W32/ExploreZip.gen@M, W32/ExploreZip@M, W32/ExploreZip@MM, W95/ExploreZip.worm.210432, Worm.ExploreZip

 

"NOD32 - tomorrow's virus detection today!"

 

Does NOD have these Lirva worms covered? They've become a significant threat.

 

Yep ... THREE variants.

 

Hi Rod, we have detection now (see attached pic). Hehe before you get too overconfident, I know for a fact that NAV got detection on Yaha.K almost a week before NOD was detecting it as Yaha.N. Sometimes you win some, sometimes you lose: but really, we're all in this malware game together: it's the malware (worms, trojans, viruses, exploits) -- not each other -- that we're trying to defeat!

 

Here's the evidence backing up my statement:

Symantec: W32.Yaha.K@mm
securityresponse.symantec.com/avcenter/venc/data/w32.yaha.k@mm.html
(this darn forum software won't post URLs that contain the '@' symbol)
Discovered on: December 24, 2002

Eset: Win32/Yaha.N
(see attached pic of Eset Update)
Discovered on: December 30, 2002

As I said, it doesn't matter that much, just wanted to send you a heads-up that NOD isn't always first to detection. Speaking of what's important: welcome back, Rod! Soooo glad to see you back as your usual NOD-defending self (grin)!

 

Symantec Was NOT Late to Detection

Symantec appears couple days late to the party (discovery date listed as 1/10/03), but they state they were detecting this worm under the old name Worm.ExploreZip as early as 1/08/03:

Symantec Security Response - W32.ExploreZip.L.Worm

W32.ExploreZip.L.Worm is a variant of Worm.ExploreZip, a worm that contains a malicious payload. The file has been repacked to make it more difficult to detect with older, existing antivirus software. This worm is packed with the UPX file format, version 0.76.1-1.24.

The worm uses Microsoft Outlook, Outlook Express, or Exchange to mail itself, by replying to unread messages in the Inbox. The email attachment is titled Zipped_files.exe.

W32.ExploreZip.L.Worm also searches the mapped drives and network computers for Windows installations. If they are found, the worm copies itself to the \Windows folder of the remote computer, and then modifies the Win.ini file of the infected computer.

Definitions dated from January 8, 2003 to January 10, 2003 will detect this worm as Worm.ExploreZip.

Also Known As: W32/ExploreZip.worm@M [McAfee], I-Worm.ZippedFiles.h [KAV], WORM_EXPLORZIP.M [Trend], Win32/ExploreZip.Worm [CA], W32/ExploreZip.E [F-Prot], W32/ExploreZip.worm.210432 [F-Prot]
Type: Worm
Infection Length: 91,048 [UPX], 210,432 [uncompressed]
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Windows 3.x, Macintosh, OS/2, UNIX, Linux