Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/ExploreZip.Worm

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload
Detection files published 09 Jun 1999 03:00:00
Description created 09 Jun 1999 03:00:00
Description updated 09 Jun 1999 03:00:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/ExploreZip.Worm

Spreading

Attachment size is 210432 bytes.When the worm is executed, it does the following:It install itself in Windows' System directory (default is C:\WINDOWS\SYSTEM), and add a line to WIN.INI (and registry on NT) instructing this file to be run at startup. It will install itself as a file called EXPLORE.EXE, not to be confused with the legitimate EXPLORER.EXE, which normally is found in the Windows directory). Sometimes the worm also copies itself with the name _SETUP.EXE.It creates a file called zipped_files.exe and proceeds to send this to all messages in your inbox that has not been replied to. In doing this, it will seem as if an infected user is sending legitimate replies to any mail received.The mail will contain the text described above.The worm will search through network mapped drives and copy itself to any Windows installation it finds, thus infecting systems on a LAN without going through email.

Payload Details

The worm searches through all drives every time it is executed, also network mapped drives, for files with the extension .h, .c, .cpp, .asm, .doc, .xls, and .ppt. When such a file is found, it corrupts it by making it 0 bytes long. Thus a lot of Microsoft Office documents and source code files for assembler and C programs will be lost.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:11