Operating System:


14 May 1999

Protect yourself against future threats.


              AUSCERT External Security Bulletin Redistribution
                 ESB-1999.078 -- CIAC INFORMATION BULLETIN
                         J-047 The ExploreZip Worm
                               15 May 1999


The U.S. Department of Energy Computer Incident Advisory Capability has
released the following bulletin concerning the Windows 9x/NT Trojan horse
worm ExploreZip including information on how to detect and remove it from
infected systems.

- --------------------------BEGIN INCLUDED TEXT--------------------



                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_   /
                          \___  __|__  /     \___

                             INFORMATION BULLETIN

                              The ExploreZip Worm

June 11, 1999 23:00 GMT                                           Number J-047
PROBLEM:        A new worm program named zipped_files.exe spreads itself as
                an attachment to e-mail messages and destroys document files.                                                                  
PLATFORM:       Windows 95, Windows 98, and Windows NT.  Outlook or Exchange
                are need to spread.                                                           
DAMAGE:         The worm sends copies of itself to everyone in your inbox and
                destroys files with the extensions: .h, .c, .cpp, .asm, .doc,
                .xls, and .ppt.                                                   
SOLUTION:       Do not automatically run an attached file named
                zipped_files.exe even if it appears to have come from a
                friend. Update your antivirus software to detect this worm.                                                          
VULNERABILITY   Severe Risk:  While this worm does not appear to be spreading                                                             
ASSESSMENT:     as rapidly as the Melissa virus, the payload can do severe
                damage to an organization by deleting all Microsoft Office
                documents and computer program source files.                                                             

                           The ExploreZip Worm


CIAC has received reports of the spread of a new worm program called ExploreZip
(alias: W32/ExploreZip.worm, Worm.ExploreZip). The worm spreads in a manner
similar to the W97M.Melissa virus. The worm arrives as an attachment to an e-
mail message. When a user double clicks on that attachment, the worm program
runs and spreads itself by sending replies to all the mail in your inbox with
the worm program as an attachment. Different from the Melissa macro virus, this
is a worm program in that it does not infect other programs or documents. It is
also executable code instead of a macro program so the macro detection
capability in Microsoft Word will not protect you from this worm. The worm has a
payload that destroys Microsoft Office documents and program source code files.

As this is object code (binary) it only runs on INTEL platforms running Windows
95, Windows 98, and Windows NT. It cannot run on Macintosh or other hardware
types and cannot run on earlier versions of windows or on DOS. In order to
spread using e-mail, the worm needs Outlook or Microsoft Exchange. However, the
payload will run and destroy files even if the program cannot spread itself via

Worm Operation
The worm is an executable program named "Zipped_files.exe" that appears to be a
self extracting ZIP archive. It arrives as an attachment to an e-mail message
with the following content:

     Hi <recipient>!

     I received your email and I shall send you a
     reply ASAP.

     Til then, take a look at the attached zipped


The message appears to be a reply to one of your messages. The subject of the
mail message is variable and appears to be a reply to a message from you.

When a user double clicks on the attached worm program, it puts up the following
dialog box that makes the file appear to be a damaged zip archive.

| Error                                                           X|
|                                                                  |
|   X   Cannot open file: it does not appear to be a valid archive.|
|       If this file is part of a ZIP format backup set, insert    |
|       the last disk of the backup set and try again. Please      |
|       press F1 for help.                                         |
|                           -------------                          |
|                           |     OK    |                          |
|                           -------------                          |
- - --------------------------------------------------------------------

Pressing F1 does nothing and clicking OK simply closes the dialog box. If WinZip
is installed on the system, it will open with the empty zip file:
Zipped_files.zip, again making it appear to be a damaged zip archive.

As the worm continues executing, it searches the inbox of your mail program and
sends a reply to every message it finds there, adding the message listed above
and attaching the worm program file.

When it has finished sending mail, it stores a copy of itself on your system and
sets that copy to be executed at system startup time. On Windows 95 and Windows
98 systems, it stores a copy of itself in:


and places the following line in the win.ini file to restart the worm every time
you run Windows.


If your active windows directory is not C:WINDOWS, replace C:WINDOWS in the
command and file location above with the path to your active Windows directory.

On Windows NT systems, it stores copies of itself in:


If your active Windows NT directory is not c:winnt, replace c:winnt in the
file locations above with the path to your active Windows NT directory.

The worm then changes the value of the following registry key to "_setup.exe",
which runs the _setup.exe program at startup.


After installing itself, the worm runs its payload. The payload searches your
lettered hard disk drives (C: through Z:) for programming source code files with
the extensions:

    .h    .c    .cpp    .asm

(C header files, C programs, C++ programs, and assembly language programs) and
Microsoft Office documents with the extensions:

    .doc    .xls    .ppt

(Word documents, Excel documents, and PowerPoint documents) and changes them to
a zero length file, making them nearly impossible to recover. You might be able
to recover parts of a file using a disk editor but that would be a difficult and
time consuming process.

Detecting An Infection

Infections with ExploreZip are easy to detect. Press Ctrl-Alt-Del and open the
Task Manager as shown here. On Windows NT, press Ctrl-Alt-Del, click the Task
Manager button, and then choose the Processes tab. The dialog box shown by
Windows NT is slightly different from that shown here but has the same function.
| Close Program                                          ? X|
|   -----------------------------------------------------|  |
|   |Exploring-temp                                      |  |
|   |Explorer                                            |  |
|   |Zipped_file                                         |  |
|   |Osa                                                 |  |
|   |Systray                                             |  |
|   |Navapw32                                            |  |
|   |Winzip32                                            |  |
|   |                                                    |  |
|   |                                                    |  |
|   -----------------------------------------------------|  |
|   WARNING: Pressing CTRL-ALT-DEL again will restart your  |
|   computer. You will lose unsaved information in all      |
|   programs that are running.                              |
|                                                           |
|   --------------       ---------------      ------------  |
|   |  End Task  |       |  Shut Down  |      |  Cancel  |  |
|   --------------       ---------------      ------------  |
- - -------------------------------------------------------------

Note the task named Zipped_file (Zipped_files.ex on Windows NT). This is the
running worm program. To stop it, select Zipped_file (or Zipped_files.ex) and
click End Task. If you have restarted your system since the infection, you will
see the process Explore (_setup.exe on Windows NT) instead of Zipped_file.
Again, to stop that process, select it and click End Task. Do not confuse the
task Explore with the task Explorer as they are different. The Explorer task is
the Windows explorer program.

Removing An Infection

The easiest way to eliminate the worm from your system is to use an updated
antivirus package. However, to do it by hand, perform these steps:

1. Press Ctrl-Alt-Del to open the task manager.

2. Select the Zipped_file or Explore (Zipped_files.ex or _setup.exe for Windows
NT) process (whichever is running) and click End Task

3. Delete all copies of zipped_file.exe from your system. These will be in the
download or attachments directory of your mail program.

4. Delete the file c:windowssystemexplore.exe or for Windows NT, delete
c:winntsystem32explore.exe and c:winnt\_setup.exe.

5. Edit c:windowswin.ini and remove the line

   Or in Windows NT, run Regedit.exe and delete the value of the key:


Most antivirus vendors already have detection and removal capabilities available
for this worm and we expect the others to have them soon. Of the vendors that
have a solution available, you may need to download it from their web pages and
not depend on the automatic update features of the product. We expect the
automatic update features to have this worm definition soon.

The following vendors have solutions now:

Symantec (NAV)

Network Associates (McAfee)

DataFellows (F-PROT)


All users are cautioned to think before double clicking on a file included as an
attachment to any e-mail message, even if that message appears to come from a
friend. If that attachment is a Microsoft Office document and you have macro
detection turned on, then you can double click the attachment and the macro
detection capability will stop the document from loading if it contains a macro
program. It will then give you the choice to enable or disable the macros.
Remember, disable macros unless you are expecting to receive them.

If the attachment is an executable program, scan it with your antivirus utility
before running it. If it passes the antivirus scan, you might still want to
reconsider running it if it comes from someone you do not know or is an
unexpected delivery from someone you do know. Call the person up on the phone
(don't send them e-mail) and ask him if he sent you an executable before running
the file. If you send him an e-mail and he is infected with this worm, you will
likely receive a reply (from the worm) saying "take a look at the attached
zipped docs".

If the file is a self extracting archive, open it with the archive program (for
example, WinZip) instead of running the archive itself. You can still get the
files out of the archive but without running the executable part (the self
extractor) of the archive file.
Thanks to Symantec and Network Associates for their early warning and analysis
of this worm.

For additional information or assistance, please contact CIAC:

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), use one of the following methods to contact CIAC:

    1.  Call the CIAC voice number 925-422-8193 and leave a message, or

    2.  Call 888-449-8369 to send a Sky Page to the CIAC duty person or

    3.  Send e-mail to 4498369@skytel.com, or

    4.  Call 800-201-9288 for the CIAC Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov)
   Modem access:        +1 (925) 423-4753 (28.8K baud)
                        +1 (925) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
3. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:

E-mail to       ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov:
        subscribe list-name
  e.g., subscribe ciac-bulletin

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email.  This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

J-036: LDAP Buffer overflow against Microsoft Directory Services
J-037: W97M.Melissa Word Macro Virus
J-038: HP-UX Vulnerabilities (hpterm, ftp)
J-039: HP-UX Vulnerabilities (MC/ServiceGuard & MC/LockManager, DES
J-040: HP-UX Security Vulnerability in sendmail
J-041: Cisco IOS(R) Software Input Access List Leakage with NAT
J-042: Web Security
J-043: (bulletin in process)
J-044: Tru64/Digital UNIX (dtlogin) Security Vulnerability
J-045: Vulnerability in statd exposes vulnerability in automountd
J-046: HP-UX VVOS NES Vulnerability

Version: 4.0 Business Edition


- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It will
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key