Tim O'Leary - I-Worm.ZippedFiles Removal Information

If you find this site usefull, please send me a brief email to tell me or with suggestions to make it easier to use.

Tim O'Leary Home : Virus Resource Home : Advice2 : Download Links : Getting rid of virus : e- newsletter subscribe : Virus FAQ : CIH Fix : Happy99 : Trojans & Malware : Iomega ZIP drive Click -o- death : e-Newsletter archives : I-Worm.ZippedFiles Removal advice : PrettyPark info :

THE EXPLOREZIP VIRUS
(I-Worm.ZippedFiles or Zipped_Files)
AND HOW TO GET RID OF IT

This advice is from advice Catherine Hampton posted in alt.comp.virus soon after the ZIPPED virus was discovered in the wild. It has had input and revision from many anti virus experts in the group, and as such, represents the consensus of the experts at the moment. The manual methods may need some revision as experience is accumulated.

 
Catherine Hampton 
ariel@tempest.boxmail.com
Home Page          *       http://www.hrweb.org/ariel/   
The Spam Bouncer   *    http://www.hrweb.org/spambouncer/


                         THE EXPLOREZIP VIRUS
                 (I-Worm.ZippedFiles or Zipped_Files)
                       AND HOW TO GET RID OF IT

                         by Catherine Hampton 
                      

                              6/10/1999

  
    (With thanks to Symantec, Central Command, and a number of 
      people on alt.comp.virus for contributing to the information 
      below, and Eric Chien for his help editing and debugging
      this document.)

     The author places this document in the public domain.  Please
     redistribute as widely as possible!


CONTENTS

Quick Information
How ExploreZip Works
How to Get Rid of ExploreZip
Updating your AntiVirus Software

=-=-=-=-=-=-=-=-=


QUICK INFORMATION

ExploreZip, the I-Worm.ZippedFiles virus, is not your average
virus.  Unfortunately.  It will arrive on your system as an
innocent-looking email message from someone you correspond
with, with an innocent-looking attached file.  If you attempt
to open the file, the virus will infect your system.  This is
all pretty much like any other email virus.
  
Unlike most recent email viruses, which were a nuisance but not
dangerous, though, ExploreZip is nasty.  It will search your local 
hard drive and also any network hard drives and delete document files.  
The document files it will delete include Microsoft Word and other
document files produced by Microsoft software and several types 
of programming code files, including C and C++.

It deletes these files in a special way which means they can't be 
recovered by any of the normal file undelete or file recovery programs 
out there.  

If someone sends you an email message like the following
message, DO NOT OPEN THE FILE ATTACHED TO IT! 

   Hi, !

   I received your email and I shall send you a reply ASAP.

   Till then, take a look at the attached zip docs.
   bye.

If your computer does not open and execute the attached file 
(which will probably be named Zipped_Files.exe), it cannot be 
infected by this virus.  

Unfortunately some versions of Microsoft email products can be 
installed to open and execute attachments automatically.  A few
of these products were configured to install this way by default,
an astoundingly =STUPID= security flaw which Microsoft has
heard about from many computer security professionals.  

Unless your software is installed to do run attachments
automatically, though, you can't get infected unless you open 
the virus file yourself.

So don't. :)

If someone calls you and asks why you sent them an email 
message which reads like the one above, you probably have 
ExploreZip.  If you do, keep reading to learn what it does, 
and how to get rid of it, or call your company IT department 
and ask for help. 


HOW ExploreZip WORKS

ExploreZip functions much like other email viruses which
have appeared in the last few months.  It infects your system,
and then sends email to other users which you normally 
correspond with.  The other users don't suspect that 
anything is wrong with email from you, and open the
file you sent, thus infecting their computers as well.
This is how the Melissa virus which appeared a few months
ago worked.

But ExploreZip has a much nastier payload than Melissa. 
"Payload" means what a virus does in addition to duplicating 
itself and spreading to other systems.  A payload can range 
from something relatively innocent, like playing a silly tune 
or displaying a silly picture, to something very nasty, like 
deleting files or reformatting a user's hard disk. 

ExploreZip's payload is that it deletes your document files
and prevents you from recovering them.  That is a very nasty
payload. 

ExploreZip sends email messages which read as follows:

   Hi, !

   I received your email and I shall send you a reply ASAP.

   Till then, take a look at the attached zip docs.
   bye.

Some versions also sign off with the following:

   sincerely 

It attaches a file called Zipped_Files.exe to the email.  This file is
approximately 210 Kb in size.  If you attempt to open or run this
attached file, and your system is running Microsoft Windows '95, 
Windows '98, and Windows NT, your system will be infected.  

When you activate the virus, it displays the following innocent-
sounding message in a dialog box:

          Cannot open file; it does not appear to be
          a valid archive.  If this file is part of
          a ZIP format backup set, insert the last
          disk of the backup set and try again. 
          Please press F1 for help. 

The dialog box will have an OK button and no other choices.     

On infecting your system, the virus copies itself to the Windows 
program and system directories.  On most Windows '95/98 systems
this will be C:\Windows and C:\Windows\System.  On most Windows
NT systems, this will be C:\WinNT and C:\WinNT\System32.  The 
virus will locate the correct directories on your system,
however, and will use the correct directories in all its
modifications.

FOR WINDOWS '95/98 SYSTEMS:

     C:\Windows\_Setup.exe
     C:\Windows\System\Explore.exe

If your Windows program directory is somewhere other than 
C:\Windows, these entries will point to the correct Windows
program and system directories on your system.

FOR WINDOWS NT SYSTEMS:

     C:\WinNT\_Setup.exe
     C:\WinNT\System32\Explore.exe

If your Windows NT program directory is somewhere other than 
C:\WinNT, these entries will point to the correct Windows
program and system directories on your system.

The virus will also modify the WIN.INI file on Windows 95/98 systems
with one of the following lines:

     run=_setup.exe
     run=C:\Windows\System\Explore.exe

If your Windows system is in a different location than 
C:\Windows\System, this entry will point to the correct directory.

On Windows NT, it will modify the registry under:

     HKEY_CURRENT_USER\Software\Microsoft\
          WindowsNT\CurrentVersion\Windows\Run 

It will add one of the following entries:

     C:\WinNT\_setup.exe
     C:\WinNT\System32\Explore.exe

If Windows NT is installed in a different directory than 
C:\WinNT, this entry will point to the correct Windows NT
directory on your system.

The virus then stays "memory resident" and is active up to the moment 
you shut your system down.  Its task has no active window and is not 
visible in taskbar, but is visible in the task list (Ctrl-Alt-Del) on
Windows '95/98 systems and the Task Manager, under the Processes
tab, on Windows NT systems.
  
The virus runs under one or more of the following names:

     Zipped_files.exe
     Explore.exe
     _setup.exe

On some systems, the file extension (the .exe) will not be displayed.
Since the virus does not check to see if it is already present in 
Windows memory, you may find several instances of it when you look.

When it is active, the virus runs four threads, or different tasks,
simultaneously.   The installation thread copies the virus files to 
the Windows directories and modifies the WIN.INI or system registry
so that the virus will run automatically when you reboot the computer. 

The Internet thread replies to incoming email messages. If you use 
a standard MAPI mail program (such as Microsoft Exchange, Outlook, 
or Outlook Express), the virus will send email messages to all the 
people you receive email from with a copy of itself attached. It 
will reply to any unread email already in your inbox, as well as 
to any new mail you receive before you disinfect your system.

The two remaining threads destroy document files.  One searches 
your local hard drive and deletes any Microsoft Office software
document files or programming code files.  (Among the files 
deleted by this virus are .C, .H, .CPP, .ASM, .DOC, .XLS, 
and .PPT files -- program source code and Microsoft Office 
document files.)  The other searches your network drives and 
does the same thing to files it finds there. 

The virus actually creates new files on top of your existing
files, using the same filenames as your existing files but with
no data.  This results in "zeroed out" files rather than normal 
deleted files, and unfortunately means that these files can't be 
undeleted or recovered by any of the normal file recovery programs 
out there. 

So, if you loose data to ExploreZip and don't have current
backups, you will need to use a data recovery service to try 
to get your data back.  That is expensive, slow, and not always
successful.  If you will need to attempt to recover deleted
files from an ExploreZip infection, shut down your computer
and do not use it to maximize your chances.  


HOW TO GET RID OF ExploreZip

Most of the top antivirus programs have already provided updates
which will detect and, in some cases, remove this virus.  Since
it can be removed relatively simply, though, I recommend that
you disinfect an infected system manually.  When you are no
longer "contagious", you can go online and update your antivirus 
software. :)

First, LOG OFF of any network you are on.  If your computer is
permanently attached to a LAN, reboot into local mode if at all
possible, and be sure to shut down your email software.  If you
are running a stand-alone system which connects to the Internet
via a dial-up line, hang up.  This will prevent others from 
being infected.  

Then follow the appropriate directions below: 


Windows '95/98
  
  1) Save all work and close all open programs. Then press 
     ++ to bring up the Close Program dialog box.

  2) Search the list of running programs for any instances of 
     the following programs:

     Zipped_files.exe
     Explore.exe
     _setup.exe

     When you find one, select it and then click the End Task
     button to shut it down.  Keep doing this til you get rid
     of them all.

  3) Reboot your system.


  4) Using Windows Explorer or any other method you prefer,
     delete the following files from your system:

     C:\Windows\_Setup.exe
     C:\Windows\System\Explore.exe

     _Setup.exe may not exist -- the virus deletes it after it
     finishes installing itself. 

  5) Run Notepad and open your WIN.INI file.  (WIN.INI will be in
     your Windows program directory.) Search for and remove the 
     following lines:

     run=_setup.exe
     run=C:\WINDOWS\SYSTEM\Explore.exe


Windows NT

  1) Save all work and close all open programs. Then, run the 
     Windows NT Task Manager by right-clicking on the 
     Task Bar and selecting "Task Manager" from the menu. 

  2) Click the Processes button, and search the Image Name 
     column for any instances of the following programs:

     Zipped_files.exe
     Explore.exe
     _setup.exe

     When you find one, select it and then click the End Process
     button to shut it down. Keep doing this til you get rid
     of them all.

  3) Reboot your system.



  4) Using Windows Explorer or any other method you prefer,
     delete the following files from your system:

     C:\WinNT\_Setup.exe
     C:\WinNT\System32\Explore.exe

     _Setup.exe may not exist -- the virus deletes it after it
     finishes installing itself.   

  5) Run Regedit.  Work your way down through the cascading menus to
     this location: 

        HKEY_CURRENT_USER\Software\Microsoft\
          WindowsNT\CurrentVersion\Windows\Run

     Delete this entry:

        C:\WinNT\System32\Explore.exe

You have successfully removed the ExploreZip virus from your
system.  Now, go to the web site of your AntiVirus company and 
download the latest upgrade, so that you won't be infected by
this virus again. :)  If you aren't using an antivirus, I suggest
you get one.  All of the companies listed below are considered 
top in the field.  

For more information and to get a feel for what each of these 
companies and products is like, read their web sites and then 
access the Usenet newsgroup alt.comp.virus.  Most of the top
antivirus companies have people participating there, and many
of the regular participants are knowledgeable and helpful. 


UPDATING YOUR ANTIVIRUS SOFTWARE

The following AntiVirus companies have updates available which 
can detect and, in some cases, remove ExploreZip from
your system.


CENTRAL COMMAND (AntiViral Toolkit Pro)

   Info about ExploreZip (I-Worm.ZippedFiles):
     http://www.avp.com/zippedfiles/zippedfiles.html

   Home Page:
     Russia (main site):      http://www.avp.ru
     U.S.A.:                  http://www.avp.com


DATAFELLOWS (Fsecure AntiVirus)

   Info about I-Worm.ZippedFiles:
     http://www.datafel
   Home Page:
     http://www.datafellows.com


NETWORK ASSOCIATES (McAfee AntiVirus and Dr. Solomon AntiVirus)

   Info about ExploreZip:
     http://www.avertlabs.com/public/datafiles/valerts/vinfo/va10185.asp

   Home Page:
     http://www.nai.com


SOPHOS (Sophos AntiVirus)

   Info about ExploreZip:
     http://www.sophos.com/downloads/ide/index.html#explorez

   Home Page:
     http://www.sophos.com


SYMANETEC (Norton AntiVirus)

   Info about ExploreZip:
     http://www.symantec.com/avcenter/venc/data/worm.explore.zip.html

   Home Page:
     http://www.symantec.com


TREND MICRO (PC-cillin)

   Info about ExploreZip:
     http://www.antivirus.com/vinfo/alerts.htm

   Home Page:
     http://www.antivirus.com/

Command Software Systems, Inc. (Command AntiVirus) 



Frisk Software International (F PROT FOR DOS) 

Requires virus definition file (sign.def) dated June 10, 1999 or later 
available from: 

http://www.complex.is/f-prot/

 

 

Tim O'Leary Home : Virus Resource Home : Advice2 : Download Links : Getting rid of virus : e- newsletter subscribe : Virus FAQ : CIH Fix : Happy99 : Trojans & Malware : Iomega ZIP drive Click -o- death : e-Newsletter archives : I-Worm.ZippedFiles Removal advice : PrettyPark info :

 
<<Home to Tim O'Leary's Virus Home Page<<
Created by Tim O'Leary email: tmoleary@melbpc.org.au
9 Nov 1998 / updated 22/12/1998, 10/1/99, 29/3/99, 14/5/99, 11/6/99
URL: http://www.alphalink.com.au/~oleary/Virus/zippedadvice.html