Kontakt
Über Avira
Presse
Beta-Test
Language:
Deutsch
English
Deutsch
Français
Español
Italiano
Português
Русский
Privatanwender
Avira Antivirus Premium
Avira Internet Security
Unternehmen
Client/Server
Avira Professional Security
Avira Server Security
Avira Business Security Suite
Avira Endpoint Security
Small Business
Managed Services
Gateways
Avira AntiVir MailGate
Avira MailGate Suite
Avira AntiVir Exchange
Avira AntiVir WebGate
Avira WebGate Suite
Avira AntiVir GateWay Bundle
Avira AntiVir SharePoint
Integrierte Technologie
Anti-Malware SDK (SAVAPI)
Antispam SDK (SPACE)
Rebranding & Bündelung
Gemeinsam zum Ziel
Avira AntiVir für KEN! 4
Avira AntiVir + AntiSpam für KEN! 4
Avira WebProtector für KEN! 4
Bildungsrabatt
Support
Privatanwender
Übersicht
Aktuelles
Video-Tutorials
Wissensdatenbank
Unternehmen
Übersicht
Aktuelles
Wissensdatenbank
Virenlabor
Virenbeschreibungen
Statistiken
VDF History
In-the-Wild-Viren
Virenlexikon
Verdächtige Datei übermitteln
Download
Produktdownloads
Technische Dokumentation
Product Lifecycle
VDF Update
Partner
Partnersuche
Partner werden
Affiliate
Free
Download
Suche
Zusammenfassung
Vollständige Beschreibung
Statistiken
Alias:
Zipped_Files
Type:
Worm
Size:
91,048 bytes
Origin:
unknown
Date:
08-01-2003
Damage:
VDF Version:
Danger:
Medium
Distribution:
Medium
General Description
Worm/ExploreZip.E spreads through Outlook, Exchange or NetScape Mail. It makes all .DOC, .XLS, .CPP, .C and .H of 0 bytes size.
Symptoms
It makes all .DOC, .XLS, .CPP, .C and .H of 0 bytes size.
Distribution
Sends itself by email as executable .EXE.
Technical Details
If you receive an email with the text: "Hi [recipient's name]! I received your Email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. Bye", then this is the virus.
This virus, like Melissa, uses the email settings of the windows system. It spreads through Outlook, Exchange or NetScape Mail. It reduces the files - even over the network - to 0 bytes! W32/ExploreZip spreads over email on Windows 9x and Windows NT computer systems. As email program, any MAPI email client is used. Some of them:
* MS Outlook
* NetScape Mail
* MS Exchange
* Outlook Express
When active, it sends itself by MAPI commands, with the attachment name "zipped_files.exe". Unlike Melissa, W32/ExploreZip sends itself to the addresses of the unanswered emails from inbox. Melissa, on the contrary, used to send itself to up to 50 contacts from Address Book. This way, the email doesn't look awkward. It is only an answer to an inbox mail (to a known recipient).
An infected mail looks like this:
From: [sender's name]
Subject: re:[Subject of unanswered mail]
To: [recipient's name]
Hi [recipient's name] !
I received your Email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
Bye or sincerely
[sender's name]
Attachment: zipped_files.exe
When the infected attachment is opened, the following notice appears:
"Error- Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help."
But in this time, the virus is already active and "at work". It copies itself either with the name "Explore.exe" or "_setup.exe" in %windir%\System (c:\windows\system) under Windows 9x, %windir%\System32 (c:\winnt\system32) under Windows NT, respectively. Thus, the worm will be able to answer more inbox messages. Then it modifies the WIN.INI under Windows 9x, or the register, under Windows NT. This modification enables the virus to start by the next system start-up. Thus, the worm will be able to answer more inbox messages.
In its damage routine, the worm is multi-threading: it creates two "killer-threads". One of the threads is for email handling and the other is for emptying the files. The first one monitors the inbox by MAPI. Thus it reacts immediately to new entries and to unread messages also. A second thread "loosens" files with the following extensions: .doc, .c, .cpp, .h, .asm, .xls and .ppt. This is made using the Windows function "Create file" from 0 bytes! Thus, the files are not deleted, but they are waiting in the Recycle Bin, not able to be restored, because the data is "lost". This can be done on a hidden hard disk also. So the virus "looses" files from the mapped Z drive (WnetEnumResource"). The virus payload is active for so long as the virus is in memory.
Manual Remove Instructions
The virus can be removed by simply deleting the infectious files and by modifying the WIN.INI/ registry.
1. For removing the auto start routine:
Delete the following lines in Windows 9x WIN.INI (using RegEdit):
run=C:\WINDOWS\SYSTEM\Explore.exe or
run=C:\WINDOWS\SYSTEM\_setup.exe
or delete the following registry entries from Windows NT:
run=C:\WINNT\SYSTEM32\Explore.exe or
run=C:\WINNT\SYSTEM32\_setup.exe
2. For removing the virus:
The virus should auto delete by the next start or ending from Task manager. The file is named "Explorer.exe" or "_setup.exe" in one of the following directories:
- under Windows 9x c:\windows\system\
- under Windows NT c:\winnt\system32\
Die Beschreibung wurde erstellt von Crony Walker am Dienstag, 15. Juni 2004
zurück
.
.
.
.
