//start foreach
English
//start foreach
Deutsch
//start foreach
Français
//start foreach
Español
//start foreach
Italiano
//start foreach
Русский
//start foreach
日本語
//start foreach
Português
Accueil
Menaces
Worm/ExploreZip.E
Recherche
Accueil
Assistance
Solutions
Produits
Téléchargements
Menaces
Statistiques
Mappemonde de l'hameçonnage
Historique VDF
Science des virus
Envoyer l’échantillon
Actualités sur la sécurité
Virus "in the Wild"
Société
Presse
Partenaires
Bulletin d'information
TechBlog
Worm/ExploreZip.E - Worm
A voir aussi
Brève description
Description complète
Statistiques
Comment noteriez-vous cette information ?
Inutile
Excellente
Alias:
Zipped_Files
Type:
Worm
Size:
91,048 bytes
Origin:
unknown
Date:
08-01-2003
Damage:
VDF Version:
Danger:
Medium
Distribution:
Medium
General Description
Worm/ExploreZip.E spreads through Outlook, Exchange or NetScape Mail. It makes all .DOC, .XLS, .CPP, .C and .H of 0 bytes size.
Symptoms
It makes all .DOC, .XLS, .CPP, .C and .H of 0 bytes size.
Distribution
Sends itself by email as executable .EXE.
Technical Details
If you receive an email with the text: "Hi [recipient's name]! I received your Email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. Bye", then this is the virus.
This virus, like Melissa, uses the email settings of the windows system. It spreads through Outlook, Exchange or NetScape Mail. It reduces the files - even over the network - to 0 bytes! W32/ExploreZip spreads over email on Windows 9x and Windows NT computer systems. As email program, any MAPI email client is used. Some of them:
* MS Outlook
* NetScape Mail
* MS Exchange
* Outlook Express
When active, it sends itself by MAPI commands, with the attachment name "zipped_files.exe". Unlike Melissa, W32/ExploreZip sends itself to the addresses of the unanswered emails from inbox. Melissa, on the contrary, used to send itself to up to 50 contacts from Address Book. This way, the email doesn't look awkward. It is only an answer to an inbox mail (to a known recipient).
An infected mail looks like this:
From: [sender's name]
Subject: re:[Subject of unanswered mail]
To: [recipient's name]
Hi [recipient's name] !
I received your Email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
Bye or sincerely
[sender's name]
Attachment: zipped_files.exe
When the infected attachment is opened, the following notice appears:
"Error- Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help."
But in this time, the virus is already active and "at work". It copies itself either with the name "Explore.exe" or "_setup.exe" in %windir%\System (c:\windows\system) under Windows 9x, %windir%\System32 (c:\winnt\system32) under Windows NT, respectively. Thus, the worm will be able to answer more inbox messages. Then it modifies the WIN.INI under Windows 9x, or the register, under Windows NT. This modification enables the virus to start by the next system start-up. Thus, the worm will be able to answer more inbox messages.
In its damage routine, the worm is multi-threading: it creates two "killer-threads". One of the threads is for email handling and the other is for emptying the files. The first one monitors the inbox by MAPI. Thus it reacts immediately to new entries and to unread messages also. A second thread "loosens" files with the following extensions: .doc, .c, .cpp, .h, .asm, .xls and .ppt. This is made using the Windows function "Create file" from 0 bytes! Thus, the files are not deleted, but they are waiting in the Recycle Bin, not able to be restored, because the data is "lost". This can be done on a hidden hard disk also. So the virus "looses" files from the mapped Z drive (WnetEnumResource"). The virus payload is active for so long as the virus is in memory.
Manual Remove Instructions
The virus can be removed by simply deleting the infectious files and by modifying the WIN.INI/ registry.
1. For removing the auto start routine:
Delete the following lines in Windows 9x WIN.INI (using RegEdit):
run=C:\WINDOWS\SYSTEM\Explore.exe or
run=C:\WINDOWS\SYSTEM\_setup.exe
or delete the following registry entries from Windows NT:
run=C:\WINNT\SYSTEM32\Explore.exe or
run=C:\WINNT\SYSTEM32\_setup.exe
2. For removing the virus:
The virus should auto delete by the next start or ending from Task manager. The file is named "Explorer.exe" or "_setup.exe" in one of the following directories:
- under Windows 9x c:\windows\system\
- under Windows NT c:\winnt\system32\
Voir la description brève
ici
.
Description inséré par Crony Walker sur Tue, 15 Jun 2004 14:00 (GMT+1)
»
À propos des logiciels malveillants
»
À propos de l'hameçonnage
»
Virus "in the Wild"
« Retour
Imprimer cette page
HEUR/HTML.Malware
HTML/Infected.WebPage.Gen
HTML/Crypted.Gen
TR/Rootkit.Gen
TR/Crypt.XPACK.Gen2
PCK/NSIS.M
PCK/Dumped
PCK/Repacked
PCK/MEW
PCK/UPACK
Recevoir les informations actuelles d’Avira en tant que
Détection et suppression de certains logiciels malveillants et de leurs variantes
Télécharger ici
Intégrer un
avertissement sur un virus
sur votre site Internet
© 2010 Avira GmbH
Tous droits réservés
|
Domaine privé
|
Plan du site
|
Feedback
|
Marque d’impression
|
FAQ
|
Contact
Menaces 
Imprimer cette page
.gif)
