-
ExploreZip is a Win32-based e-mail worm. It searches for Microsoft Office documents on your hard drive and network drives.
-
When it finds any Word, Excel, or PowerPoint documents using the following extensions: .doc, .xls and .ppt, it erases the contents of those files. It also emails itself to any one who send you an e-mail.
-
ExploreZip arrives as an email attachment. The message will most likely come from someone you know, and the body of the message will read:
"I received your email and I shall send you a reply ASAP. Till then, take a look at the attached Zipped docs." The attachment will be named "Zipped files.exe" and have a WinZip icon. Double clicking the program infects your computer.
 |
This is a 32bit Worm that travels by sending email messages to users. It drops the file explore.exe and modifies either the WIN.INI (Windows 9x/ME) or modifies the registry (Windows NT/2K/XP).
This worm attempts to invoke the MAPI aware email applications as in MS Outlook, MS Outlook Express and MS Exchange. This worm replies to messages received by sending an email message with the following body:
"I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs."
The subject line is not constant as the message is a reply to a message sent to the infected user. The worm (named "zipped_files.exe" as the attachment, with a file size of 210,432 bytes. The file has a WinZip icon which is designed to fool unsuspecting users to run it as a self-extracting file. Users who run this attachment will be presented with a fake error message that says:
"Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help."
| Threat | Payload Notice This worm has a payload. Immediately after execution it will search all local and network drives for the following files types .c, .cpp, .h, .asm, .doc, .xls, or .ppt. When found, their content is erased. Approximately 30 minutes after infection this process is repeated. Files that have been affected by this payload will need to be restored from backup. Repair is not possible. |
This worm will locate system drives which are NOT mapped drives using functions from MPR.DLL and Network Neighborhood. On these systems, the WIN.INI is modified with a run statement to load a file called _SETUP.EXE from the Windows path, and the file _SETUP.EXE is copied to the Windows path. These systems will become infected when restarted. This worm will only try to infect such systems once, whereas systems which are mapped drives are constantly attempted to be re-infected. Secondly, a machine infected via another share will switch between _setup and explore per reboot.
Existence of any of the 3 file names mentioned above [note EXPLORER.EXE is a valid name - do not confuse this name]. Process running as mentioned above, files being corrupted / deleted as mentioned above.
Running the file will directly infect the local system by installing itself and running memory resident, then it will use browsing of the network to locate available shares. The program searches local and networked drives (drive letters C through Z) for specific file types and attempts to erase the contents of the files, leaving a zero byte file. The targets may include Microsoft Office files, such as .doc, .xls, and .ppt, and various source code files, such as .c, .cpp, .h, and .asm.
The program propagates by replying to any new email that is received by an infected computer. A copy of zipped_files.exe is attached to the reply message. The program creates an entry in the Windows 95/98 WIN.INI file:
run=C:\WINDOWS\SYSTEM\Explore.exe
On Windows NT systems, an entry is made in the system registry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows]
run = "c:\winnt\system32\explore.exe"
The program creates a file called explore.exe in the following locations:
Windows 95/98 - c:\windows\system\explore.exe
Windows NT - c:\winnt\system32\explore.exe
This file is a copy of the zipped_files.exe Trojan horse, and the file size is 210432 bytes.
MD5 (Explore.exe) = 0e10993050e5ed199e90f7372259e44b
Posts
0 comments:
Post a Comment