Contatti
Chi siamo
Stampa
Beta test
Language:
Italiano
English
Deutsch
Français
Español
Italiano
Português
Русский
Per utenti privati
Avira Antivirus Premium
Avira Internet Security
Per aziende
Client/Server
Avira Professional Security
Avira Server Security
Avira Business Security Suite
Avira Endpoint Security
Small Business
Gateways
Avira AntiVir MailGate
Avira MailGate Suite
Avira AntiVir Exchange
Avira AntiVir WebGate
Avira WebGate Suite
Avira AntiVir GateWay Bundle
Avira AntiVir SharePoint
Integrazione
Anti-Malware SDK (SAVAPI)
Antispam SDK (SPACE)
Rebranding & Bundling
Servizi di integrazione
Sconto Formazione
Supporto
Per utenti privati
Panoramica
Ultime news
Tutorial video
Knowledgebase
Per le aziende
Panoramica
Ultime news
Knowledgebase
Virus Lab
Descrizioni dei virus
Statistiche
VDF History
Viruses In the Wild
Glossario dei virus
Invia il file sospetto
Download
Scarica il prodotto
Documentazione tecnica
Product Lifecycle
Aggiornamento VDF
Partner
Trova un partner
Come diventare partner di Avira
Affiliate
Free
Download
Cerca
In breve
Descrizione completa
Statistiche
Alias:
Zipped_Files
Type:
Worm
Size:
91,048 bytes
Origin:
unknown
Date:
08-01-2003
Damage:
VDF Version:
Danger:
Medium
Distribution:
Medium
General Description
Worm/ExploreZip.E spreads through Outlook, Exchange or NetScape Mail. It makes all .DOC, .XLS, .CPP, .C and .H of 0 bytes size.
Symptoms
It makes all .DOC, .XLS, .CPP, .C and .H of 0 bytes size.
Distribution
Sends itself by email as executable .EXE.
Technical Details
If you receive an email with the text: "Hi [recipient's name]! I received your Email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. Bye", then this is the virus.
This virus, like Melissa, uses the email settings of the windows system. It spreads through Outlook, Exchange or NetScape Mail. It reduces the files - even over the network - to 0 bytes! W32/ExploreZip spreads over email on Windows 9x and Windows NT computer systems. As email program, any MAPI email client is used. Some of them:
* MS Outlook
* NetScape Mail
* MS Exchange
* Outlook Express
When active, it sends itself by MAPI commands, with the attachment name "zipped_files.exe". Unlike Melissa, W32/ExploreZip sends itself to the addresses of the unanswered emails from inbox. Melissa, on the contrary, used to send itself to up to 50 contacts from Address Book. This way, the email doesn't look awkward. It is only an answer to an inbox mail (to a known recipient).
An infected mail looks like this:
From: [sender's name]
Subject: re:[Subject of unanswered mail]
To: [recipient's name]
Hi [recipient's name] !
I received your Email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
Bye or sincerely
[sender's name]
Attachment: zipped_files.exe
When the infected attachment is opened, the following notice appears:
"Error- Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help."
But in this time, the virus is already active and "at work". It copies itself either with the name "Explore.exe" or "_setup.exe" in %windir%\System (c:\windows\system) under Windows 9x, %windir%\System32 (c:\winnt\system32) under Windows NT, respectively. Thus, the worm will be able to answer more inbox messages. Then it modifies the WIN.INI under Windows 9x, or the register, under Windows NT. This modification enables the virus to start by the next system start-up. Thus, the worm will be able to answer more inbox messages.
In its damage routine, the worm is multi-threading: it creates two "killer-threads". One of the threads is for email handling and the other is for emptying the files. The first one monitors the inbox by MAPI. Thus it reacts immediately to new entries and to unread messages also. A second thread "loosens" files with the following extensions: .doc, .c, .cpp, .h, .asm, .xls and .ppt. This is made using the Windows function "Create file" from 0 bytes! Thus, the files are not deleted, but they are waiting in the Recycle Bin, not able to be restored, because the data is "lost". This can be done on a hidden hard disk also. So the virus "looses" files from the mapped Z drive (WnetEnumResource"). The virus payload is active for so long as the virus is in memory.
Manual Remove Instructions
The virus can be removed by simply deleting the infectious files and by modifying the WIN.INI/ registry.
1. For removing the auto start routine:
Delete the following lines in Windows 9x WIN.INI (using RegEdit):
run=C:\WINDOWS\SYSTEM\Explore.exe or
run=C:\WINDOWS\SYSTEM\_setup.exe
or delete the following registry entries from Windows NT:
run=C:\WINNT\SYSTEM32\Explore.exe or
run=C:\WINNT\SYSTEM32\_setup.exe
2. For removing the virus:
The virus should auto delete by the next start or ending from Task manager. The file is named "Explorer.exe" or "_setup.exe" in one of the following directories:
- under Windows 9x c:\windows\system\
- under Windows NT c:\winnt\system32\
Descrizione inserita da Crony Walker su martedì 15 giugno 2004
Indietro
.
.
.
.
