Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:Worm.Explore.Zip, Zipped Files, Troj.Explore.Zip
Type:Worm 
Size:210.432 Bytes 
Origin: 
Date:06-11-1999 
Damage:Spreads using Outlook, Exchange or NetScape Mail  
VDF Version:6.20.00.00 
Danger:High 
Distribution:Medium 

DistributionThe email structure:
Subject: re:[subject of the un-answered message]
Body: Hi [Name of recipient] ! I received your Email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. Bye or sincerely [Name of the sender]
Attachment: zipped_files.exe

Technical DetailsWhen the infected attachment is opened, an error message appears on the screen.
The virus is already active and "at work". It copies itself as "Explore.exe" or "setup.exe" in System directory: %windir%\%SystemDir% (usually c:\windows\system) on Windows 9x, or %windir%\%SystemDir% (usually c:\winnt\system32) on Windows NT.
Then, it modifies WIN.INI on Windows9x, or the registry on Windows NT. Thus, the virus is activated by every system start-up. The worm can also reply to incoming emails.
It uses two "killer threads". One of them "processes" the emails, the other "empties" the files with extension: .doc, .c, .cpp, .h, .asm, .xls, .ppt. It empties the files using the Windows function "CreateFile" with 0 Byte. These "shrunk" files can not be restored, because the content is "lost". To "empty" the files, a strong harddisk activity is needed. The virus also "empties" files from mapped drives all the way to "Z:" drive ("WnetEnumResource"). The virus payload is active as long as the virus itself is in memory.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .