Worm.Explore.Zip, Zipped Files, Troj.Explore.Zip
Spreads using Outlook, Exchange or NetScape Mail
The email structure:
Subject: re:[subject of the un-answered message]
Body: Hi [Name of recipient] ! I received your Email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. Bye or sincerely [Name of the sender]
When the infected attachment is opened, an error message appears on the screen.
The virus is already active and "at work". It copies itself as "Explore.exe" or "setup.exe" in System directory: %windir%\%SystemDir% (usually c:\windows\system) on Windows 9x, or %windir%\%SystemDir% (usually c:\winnt\system32) on Windows NT.
Then, it modifies WIN.INI on Windows9x, or the registry on Windows NT. Thus, the virus is activated by every system start-up. The worm can also reply to incoming emails.
It uses two "killer threads". One of them "processes" the emails, the other "empties" the files with extension: .doc, .c, .cpp, .h, .asm, .xls, .ppt. It empties the files using the Windows function "CreateFile" with 0 Byte. These "shrunk" files can not be restored, because the content is "lost". To "empty" the files, a strong harddisk activity is needed. The virus also "empties" files from mapped drives all the way to "Z:" drive ("WnetEnumResource"). The virus payload is active as long as the virus itself is in memory.
說明撰寫者 Crony Walker 開啟 2004年6月15日星期二