Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/ExploreZip.120495.Worm

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload
Detection files published 30 Nov 1999 03:00:00
Description created 02 Dec 1999 03:00:00
Description updated 02 Dec 1999 03:00:00
Malware type WORM
Alias MiniZip
Spreading mechanism EMAIL
NETWORK
Summary None

W32/ExploreZip.120495.Worm

Spreading

Attachment size is 120495 bytes (thus the name of the worm).

When it is executed, thw worm does the following:


It install itself in Windows' System directory (default is C:\WINDOWS\SYSTEM), and add a line to WIN.INI (and registry on NT) instructing this file to be run at startup. It will install itself as a file called EXPLORE.EXE, not to be confused with the legitimate EXPLORER.EXE, which normally is found in the Windows directory). Sometimes the worm also copies itself with the name _SETUP.EXE. It creates a file called zipped_files.exe and proceeds to send this to all messages in your inbox that has not been replied to. In doing this, it will seem as if an infected user is sending legitimate replies to any mail received.
The mail will contain the text described above.

Payload Details

There is a very destructive action (payload) connected with this worm. It searches though all drives every time it is executed, also network mapped drives, for files with the extension .h, .c, .cpp, .asm, .doc, .xls, and .ppt. When such a file is found, it corrupts it by making it 0 bytes long. Thus a lot of Microsoft Office documents and source code files for assembler and C programs will be lost.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:15