Symantec Offers Free Online Fix for Destructive Worm.ExploreZip Worm
Cupertino, Calif. June 14, 1999 - Symantec Corporation
(Nasdaq: SYMC) today announced that a free tool to remove an active
Worm.ExploreZip infection is available on its web site at http://www.sarc.com.
The KILL_EZ.EXE tool removes infection from computers running on Windows 95,
Windows 98 or Windows NT.
While protection has been available to Symantec Norton AntiVirus users via
current virus definitions through LiveUpdate, the KILL_EZ.EXE tool does not
require anti-virus software to run.
"Symantec AntiVirus Research Center (SARC) is offering this as a public service
to administrators and other users," said Carey Nachenberg, chief researcher with
SARC. "Administrators can use this tool to clean up infested networks and deploy
via login scripts to rapidly cure the problem." While the tool removes
Worm.ExploreZip, to have continued protection against malicious threats an
anti-virus solution-such as Norton AntiVirus-is recommended.
The Worm.ExploreZip worm contains a malicious payload that can result in
non-recoverable data and/or inoperable computer systems. The KILL_EZ.EXE tool
performs the following tasks (upon verifying the system is infected by
Finally, the tool deletes the EXPLORE.EXE file from the
Windows system directory.
- Under Windows NT-removes changes made to the Windows
Registry by the worm. Specifically, it deletes the registry value EY_CURRENT_USER\Software\Microsoft\WindowsNTCurrentVersion\Windows\Run
- Under Windows 95-removes changes made to the WIN.INI
file, found in the Windows directory. Specifically, it
will delete the line:
- KILL_EZ.EXE then completely removes the Worm.ExploreZip program from memory.
- Under Windows 95, or Windows 98, it will delete:
- Under Windows NT, it will delete c:
Upon completion, KILL_EZ.EXE reports whether the system was infected with
Worm.ExploreZip and, if infected, the system reports successful removal of the
Worm.ExploreZip utilizes MAPI commands and Microsoft Outlook on Windows systems
to propagate itself. The worm was first discovered in Israel and submitted to the
Symantec AntiVirus Research Center (SARC) on June 6, 1999.
Norton AntiVirus users are advised to protect themselves from this worm by
downloading the current virus definitions through LiveUpdate or from the Symantec
web site at www.symantec.com/avcenter/download.html.
Symantec AntiVirus Research Center (SARC)
SARC is the industry's largest dedicated team of virus experts. With offices
located in the United States, Japan, Australia, and the Netherlands, the sun
never sets on SARC. The center's mission is to provide swift, global responses to
computer virus threats, proactively research and develop technologies that
eliminate such threats, and educate the public on safe computing practices. As
new computer viruses appear, SARC develops identification and detection for these
viruses, and provides either a repair or delete operation, thus keeping users
protected against the latest virus threats.
Symantec is the world leader in utility software for business and personal computing.
Symantec products and solutions help make users productive and keep their computers
safe and reliable anywhere and anytime. Symantec offers a broad range of solutions
and is acclaimed as a leader in both customer satisfaction and product brand
recognition. Symantec is traded on Nasdaq under the symbol SYMC. More information
on the company and its products can be obtained at www.symantec.com.
NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products,
view the Symantec Press Center at www.symantec.com/PressCenter/ on Symantec's Website.
Brands and products referenced herein are the trademarks or registered trademarks of their
respective holders. All prices noted are in US dollars and are valid only in the United States.