Worm.ExploreZip is a worm that contains a malicious payload. The worm utilizes MAPI commands and Microsoft Outlook on Windows systems to propagate itself. The worm was first discovered in Israel and submitted to the Symantec AntiVirus Research Center on June 6, 1999.

The worm e-mails itself out as an attachment with the filename "zipped_files.exe". The body of the e-mail message may appear to come from a known e-mail correspondent and contains the following text:

Hi  Receipient Name!

I received your email and I shall send you a reply ASAP.

Till then, take a look at the attached zipped docs.

bye

The worm determines whom to mail this message to by going through your received messages in your Inbox.

Once the attachment is executed, it may display the following window:

The worm proceeds to copy itself to the c:\windows\system directory with the filename "Explore.exe" and then modifies the WIN.INI file so, the program is executed each time Windows is started. The worm then utilizes your e-mail client to harvest e-mail addresses in order to propagate itself. One may notice their e-mail client start when this occurs.

Payload:

In addition, when Worm.ExploreZip is executed, it also searches through the C through Z drives of your computer system and selects a series of files of any file extension to destroy by making them 0 bytes long. This can result in non-recoverable data and/or computer system.

Repair Notes:

To remove this worm, one should perform the following steps:

1. Remove the line run=C:\WINDOWS\SYSTEM\Explore.exe from the WIN.INI file
2. Delete the file "C:\WINDOWS\SYSTEM\EXPLORE.EXE". One may need to reboot first, if the file is currently in use.

Norton AntiVirus users can protect themselves from this worm by downloading the current virus definitions either through LiveUpdate or from the following webpage:

http://www.symantec.com/avcenter/download.html

Write-up by: Eric Chien
Update: June 9, 1999

Cross-reference data provided by Project VGrep. Implemented with permission of Virus Bulletin.