Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:Zipped_Files
Type:Worm 
Size:91,048 bytes 
Origin:unknown 
Date:08-01-2003 
Damage: 
VDF Version:  
Danger:Medium 
Distribution:Medium 

General DescriptionWorm/ExploreZip.E spreads through Outlook, Exchange or NetScape Mail. It makes all .DOC, .XLS, .CPP, .C and .H of 0 bytes size.

SymptomsIt makes all .DOC, .XLS, .CPP, .C and .H of 0 bytes size.

DistributionSends itself by email as executable .EXE.

Technical DetailsIf you receive an email with the text: "Hi [recipient's name]! I received your Email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. Bye", then this is the virus.

This virus, like Melissa, uses the email settings of the windows system. It spreads through Outlook, Exchange or NetScape Mail. It reduces the files - even over the network - to 0 bytes! W32/ExploreZip spreads over email on Windows 9x and Windows NT computer systems. As email program, any MAPI email client is used. Some of them:

* MS Outlook
* NetScape Mail
* MS Exchange
* Outlook Express

When active, it sends itself by MAPI commands, with the attachment name "zipped_files.exe". Unlike Melissa, W32/ExploreZip sends itself to the addresses of the unanswered emails from inbox. Melissa, on the contrary, used to send itself to up to 50 contacts from Address Book. This way, the email doesn't look awkward. It is only an answer to an inbox mail (to a known recipient).

An infected mail looks like this:

From: [sender's name]
Subject: re:[Subject of unanswered mail]
To: [recipient's name]
Hi [recipient's name] !
I received your Email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
Bye or sincerely
[sender's name]
Attachment: zipped_files.exe

When the infected attachment is opened, the following notice appears:
"Error- Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help."

But in this time, the virus is already active and "at work". It copies itself either with the name "Explore.exe" or "_setup.exe" in %windir%\System (c:\windows\system) under Windows 9x, %windir%\System32 (c:\winnt\system32) under Windows NT, respectively. Thus, the worm will be able to answer more inbox messages. Then it modifies the WIN.INI under Windows 9x, or the register, under Windows NT. This modification enables the virus to start by the next system start-up. Thus, the worm will be able to answer more inbox messages.

In its damage routine, the worm is multi-threading: it creates two "killer-threads". One of the threads is for email handling and the other is for emptying the files. The first one monitors the inbox by MAPI. Thus it reacts immediately to new entries and to unread messages also. A second thread "loosens" files with the following extensions: .doc, .c, .cpp, .h, .asm, .xls and .ppt. This is made using the Windows function "Create file" from 0 bytes! Thus, the files are not deleted, but they are waiting in the Recycle Bin, not able to be restored, because the data is "lost". This can be done on a hidden hard disk also. So the virus "looses" files from the mapped Z drive (WnetEnumResource"). The virus payload is active for so long as the virus is in memory.

Manual Remove InstructionsThe virus can be removed by simply deleting the infectious files and by modifying the WIN.INI/ registry.

1. For removing the auto start routine:

Delete the following lines in Windows 9x WIN.INI (using RegEdit):

run=C:\WINDOWS\SYSTEM\Explore.exe or
run=C:\WINDOWS\SYSTEM\_setup.exe

or delete the following registry entries from Windows NT:

run=C:\WINNT\SYSTEM32\Explore.exe or
run=C:\WINNT\SYSTEM32\_setup.exe

2. For removing the virus:

The virus should auto delete by the next start or ending from Task manager. The file is named "Explorer.exe" or "_setup.exe" in one of the following directories:
- under Windows 9x c:\windows\system\
- under Windows NT c:\winnt\system32\
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .