Contact
A propos d'Avira
Presse
Version bêta
Language:
Français
English
Deutsch
Français
Español
Italiano
Português
Русский
Particuliers
Avira Antivirus Premium
Avira Internet Security
Entreprises
PC/serveurs
Avira Professional Security
Avira Server Security
Avira Business Security Suite
Avira Endpoint Security
PME
Services hébergés
Passerelles
Avira AntiVir MailGate
Avira MailGate Suite
Avira AntiVir Exchange
Avira AntiVir WebGate
Avira WebGate Suite
Avira AntiVir GateWay Bundle
Avira AntiVir SharePoint
Intégration
Anti-Malware SDK (SAVAPI)
Antispam SDK (SPACE)
Rebranding et regroupement
Services d’intégration
Remise Enseignement
Support
Particuliers
Aperçu
Dernières actualités
Tutoriels vidéo
Base de connaissances
Entreprises
Aperçu
Dernières actualités
Base de connaissances
Laboratoire antivirus
Descriptions de virus
Statistiques
Historique VDF
Virus "In the Wild"
Science des virus
Soumettre le Fichier Suspect
Téléchargements
Téléchargement produits
Documentation technique
Cycle de vie des produits
Mise à jour VDF
Partenaires
Trouver un partenaire
Devenir partenaire Avira
Société affiliée
Version gratuite
Télécharger
Rechercher
Brève description
Description complète
Statistiques
Alias:
Zipped_Files
Type:
Worm
Size:
91,048 bytes
Origin:
unknown
Date:
08-01-2003
Damage:
VDF Version:
Danger:
Medium
Distribution:
Medium
General Description
Worm/ExploreZip.E spreads through Outlook, Exchange or NetScape Mail. It makes all .DOC, .XLS, .CPP, .C and .H of 0 bytes size.
Symptoms
It makes all .DOC, .XLS, .CPP, .C and .H of 0 bytes size.
Distribution
Sends itself by email as executable .EXE.
Technical Details
If you receive an email with the text: "Hi [recipient's name]! I received your Email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. Bye", then this is the virus.
This virus, like Melissa, uses the email settings of the windows system. It spreads through Outlook, Exchange or NetScape Mail. It reduces the files - even over the network - to 0 bytes! W32/ExploreZip spreads over email on Windows 9x and Windows NT computer systems. As email program, any MAPI email client is used. Some of them:
* MS Outlook
* NetScape Mail
* MS Exchange
* Outlook Express
When active, it sends itself by MAPI commands, with the attachment name "zipped_files.exe". Unlike Melissa, W32/ExploreZip sends itself to the addresses of the unanswered emails from inbox. Melissa, on the contrary, used to send itself to up to 50 contacts from Address Book. This way, the email doesn't look awkward. It is only an answer to an inbox mail (to a known recipient).
An infected mail looks like this:
From: [sender's name]
Subject: re:[Subject of unanswered mail]
To: [recipient's name]
Hi [recipient's name] !
I received your Email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
Bye or sincerely
[sender's name]
Attachment: zipped_files.exe
When the infected attachment is opened, the following notice appears:
"Error- Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help."
But in this time, the virus is already active and "at work". It copies itself either with the name "Explore.exe" or "_setup.exe" in %windir%\System (c:\windows\system) under Windows 9x, %windir%\System32 (c:\winnt\system32) under Windows NT, respectively. Thus, the worm will be able to answer more inbox messages. Then it modifies the WIN.INI under Windows 9x, or the register, under Windows NT. This modification enables the virus to start by the next system start-up. Thus, the worm will be able to answer more inbox messages.
In its damage routine, the worm is multi-threading: it creates two "killer-threads". One of the threads is for email handling and the other is for emptying the files. The first one monitors the inbox by MAPI. Thus it reacts immediately to new entries and to unread messages also. A second thread "loosens" files with the following extensions: .doc, .c, .cpp, .h, .asm, .xls and .ppt. This is made using the Windows function "Create file" from 0 bytes! Thus, the files are not deleted, but they are waiting in the Recycle Bin, not able to be restored, because the data is "lost". This can be done on a hidden hard disk also. So the virus "looses" files from the mapped Z drive (WnetEnumResource"). The virus payload is active for so long as the virus is in memory.
Manual Remove Instructions
The virus can be removed by simply deleting the infectious files and by modifying the WIN.INI/ registry.
1. For removing the auto start routine:
Delete the following lines in Windows 9x WIN.INI (using RegEdit):
run=C:\WINDOWS\SYSTEM\Explore.exe or
run=C:\WINDOWS\SYSTEM\_setup.exe
or delete the following registry entries from Windows NT:
run=C:\WINNT\SYSTEM32\Explore.exe or
run=C:\WINNT\SYSTEM32\_setup.exe
2. For removing the virus:
The virus should auto delete by the next start or ending from Task manager. The file is named "Explorer.exe" or "_setup.exe" in one of the following directories:
- under Windows 9x c:\windows\system\
- under Windows NT c:\winnt\system32\
Description insérée par Crony Walker le mardi 15 juin 2004
Retour
.
.
.
.
