Technology Services Center (TSC)
|
|
TSC Tech Alerts |
(December 1, 1999)
There is a newly discovered variant of the Trojan ExploreZip worm that was originally discovered in June, 1999. This variant, W32/ExploreZip.Worm.Pak, is identical to the orginal ExploreZip worm in that it is auto-spamming malicious code that destroys data on the infected system. The only significant difference between this variant of the worm and the original is that this one is compressed with a different type of compression format, thereby evading protection for the previous worm. The W32/ExploreZip.worm.pak attacks Windows 95, 98 and NT systems and has been detected at serveral Fortune 500 customer sites in the United States.
It is sent via email of which the body of the message will contain the following text:
Hi !
I received your email and I shall send you a reply ASAP.
Til then, take a look at the attached zipped docs.
bye (or Sincerely or All)
What to do if I recognize an infectious e-mail on my computer:
The W32/ExploreZip.worm.pak emails itself out as an attachment under the filename "zipped_files.exe". The subject line of the email varies. The body of the email message may also contain the following text:
Hi !
I received your email and I shall send you a reply ASAP.
Til then, take a look at the attached zipped docs.
bye (or Sincerely or All)
The message appears to be a reply to one of your messages. The subject of the mail message is variable and appears to be a reply to a message from you.
As the worm continues executing, it searches the inbox of your mail program and sends a reply to every message it finds there, adding the message listed above and attaching the worm program file.
When it has finished sending mail, it stores a copy of itself on your system and sets that copy to be executed at system startup time. On Windows 95 and Windows 98 systems, it stores a copy of itself in:
c:\windows\system\explore.exe
and places the following line in the win.ini file to restart the worm every time you run Windows.
run=C:\WINDOWS\System\Explore.exe
If your active windows directory is not C:\WINDOWS, replace C:\WINDOWS in the command and file location above with the path to your active Windows directory.
On Windows NT systems, it stores copies of itself in:
c:\winnt\system32\explore.exe
c:\winnt\_setup.exe
If your active Windows NT directory is not c:\winnt, replace c:\winnt in the file locations above with the path to your active Windows NT directory.
The worm then changes the value of the following registry key to "_setup.exe", which runs the _setup.exe program at startup.
HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\
CurrentVersion\Windows\run
After installing itself, the worm runs its payload. The payload searches your lettered hard disk drives (C: through Z:) for programming source code files with the extensions:
.h .c .cpp .asm
(C header files, C programs, C++ programs, and assembly language programs) and Microsoft Office documents with the extensions:
.doc .xls .ppt
(Word documents, Excel documents, and PowerPoint documents) and changes them to a zero length file, making them nearly impossible to recover. You might be able to recover parts of a file using a disk editor but that would be a difficult and time consuming process.
More information on the W32/ExplorereZip.worm.pak virus may be found online
at
http://vil.mcafee.com/vil/vpe10450.asp
Technology Services Center Home (TSC) |
TSC Services
Read this
disclaimer.
Maintained by
Bill Balint
<wsbalint@iup.edu>