1. /
  2. Security Response/
  3. Worm.ExploreZip

Worm.ExploreZip

Risk Level 1: Very Low

Discovered:
June 6, 1999
Updated:
May 1, 2007 10:34:31 AM
Also Known As:
I-Worm.ZippedFiles [Kaspersky], Win32/ExploreZip.Worm [Computer Associates], W32/ExploreZip@MM [McAfee]
Type:
Worm
Infection Length:
210,432 bytes
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000
Worm.ExploreZip is a worm that contains a malicious payload. The worm utilizes Microsoft Outlook, Outlook Express, or Exchange to mail itself out by replying to unread messages in your Inbox. The email attachment is Zipped_files.exe.

The worm also searches mapped drives and networked computers for Windows installations. If found, it copies itself to the \Windows folder of the remote computer and then modifies the Win.ini file of the infected computer.

On January 8, 2003, Security Response discovered a packed variant of this threat which exhibits the same characteristics. Protection will be available for this new variant in virus definitions dated 1/8/2003 with a version number of 50108q (20030108.017) or greater.

Antivirus Protection Dates

  • Initial Rapid Release version June 9, 1999
  • Latest Rapid Release version May 9, 2011 revision 040
  • Initial Daily Certified version June 9, 1999
  • Latest Daily Certified version May 10, 2011 revision 003
  • Initial Weekly Certified release date June 9, 1999
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 50 - 999
  • Number of Sites: 3 - 9
  • Geographical Distribution: Low
  • Threat Containment: Moderate
  • Removal: Moderate

Damage

  • Damage Level: High
  • Payload: In addition, when Worm.ExploreZip is executed, it also searches through the C through Z drives of your computer system and accessible network machines for particular files. The worm selects a series of files to destroy of multiple file extensions (includi
  • Large Scale E-mailing: Using MS Outlook/Express/MS Exchange
  • Deletes Files: All files with .c, .cpp, .h, .asm, .doc, .ppt, .xls extensions
  • Modifies Files: WIN.INI
  • Degrades Performance: Increased hard-drive activity, unrecoverable loss of data

Distribution

  • Distribution Level: High
  • Subject of Email: Subject is correspondet to a reply from a known e-mail recipient on the previously sent e-mail
  • Name of Attachment: Zipped_files.exe
  • Size of Attachment: One file
  • Shared Drives: Infects all local and mapped network drives
  • Target of Infection: Windows 9x / NT systems
Writeup By: Eric Chien

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver