Symantec United States
global sites
products and services
purchase
support
security response
downloads
about symantec
search
feedback


© 1995-2007 Symantec Corporation.
All rights reserved.
Legal Notices
Privacy Policy

masthead
 
News Release

Symantec Offers Free Online Fix for Destructive Worm.ExploreZip Worm

Cupertino, Calif. June 14, 1999 - Symantec Corporation (Nasdaq: SYMC) today announced that a free tool to remove an active Worm.ExploreZip infection is available on its web site at http://www.sarc.com. The KILL_EZ.EXE tool removes infection from computers running on Windows 95, Windows 98 or Windows NT.

While protection has been available to Symantec Norton AntiVirus users via current virus definitions through LiveUpdate, the KILL_EZ.EXE tool does not require anti-virus software to run.

"Symantec AntiVirus Research Center (SARC) is offering this as a public service to administrators and other users," said Carey Nachenberg, chief researcher with SARC. "Administrators can use this tool to clean up infested networks and deploy via login scripts to rapidly cure the problem." While the tool removes Worm.ExploreZip, to have continued protection against malicious threats an anti-virus solution-such as Norton AntiVirus-is recommended.

The Worm.ExploreZip worm contains a malicious payload that can result in non-recoverable data and/or inoperable computer systems. The KILL_EZ.EXE tool performs the following tasks (upon verifying the system is infected by Worm.ExploreZip):

  • Under Windows NT-removes changes made to the Windows Registry by the worm. Specifically, it deletes the registry value EY_CURRENT_USER\Software\Microsoft\WindowsNTCurrentVersion\Windows\Run

  • Under Windows 95-removes changes made to the WIN.INI file, found in the Windows directory. Specifically, it will delete the line:
    run=c:\windows\system\explore.exe.

  • KILL_EZ.EXE then completely removes the Worm.ExploreZip program from memory.

Finally, the tool deletes the EXPLORE.EXE file from the Windows system directory.

  • Under Windows 95, or Windows 98, it will delete:
    C:\WINDOWS\SYSTEM\EXPLORE.EXE.

  • Under Windows NT, it will delete c:
    \WINDOWS\SYSTEM32\EXPLORE.EXE.

Upon completion, KILL_EZ.EXE reports whether the system was infected with Worm.ExploreZip and, if infected, the system reports successful removal of the worm.

Worm.ExploreZip utilizes MAPI commands and Microsoft Outlook on Windows systems to propagate itself. The worm was first discovered in Israel and submitted to the Symantec AntiVirus Research Center (SARC) on June 6, 1999.

Norton AntiVirus users are advised to protect themselves from this worm by downloading the current virus definitions through LiveUpdate or from the Symantec web site at www.symantec.com/avcenter/download.html.

Symantec AntiVirus Research Center (SARC)
SARC is the industry's largest dedicated team of virus experts. With offices located in the United States, Japan, Australia, and the Netherlands, the sun never sets on SARC. The center's mission is to provide swift, global responses to computer virus threats, proactively research and develop technologies that eliminate such threats, and educate the public on safe computing practices. As new computer viruses appear, SARC develops identification and detection for these viruses, and provides either a repair or delete operation, thus keeping users protected against the latest virus threats.

About Symantec
Symantec is the world leader in utility software for business and personal computing. Symantec products and solutions help make users productive and keep their computers safe and reliable anywhere and anytime. Symantec offers a broad range of solutions and is acclaimed as a leader in both customer satisfaction and product brand recognition. Symantec is traded on Nasdaq under the symbol SYMC. More information on the company and its products can be obtained at www.symantec.com.

NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products, view the Symantec Press Center at www.symantec.com/PressCenter/ on Symantec's Website.

Brands and products referenced herein are the trademarks or registered trademarks of their respective holders. All prices noted are in US dollars and are valid only in the United States.