|
|
|
|
| |
| A new Worm called "The ExploreZip" Worm, is spreading via e-mail attachments (similar to the infamous Melissa Virus). This worm has already infected Microsoft, Intel and many others, causing considerable slow-down (and in some an actual Denial-of-Service) of mail servers and network resources. |
| |
Credit:
Most major anti-virus applications can now detect and clean this virus.
Try the following links for updated anti-virus versions:
Central Command
Command Software Systems, Inc
Computer Associates
Data Fellows
McAfee
Network Associates
Sophos
Symantec
Trend Micro Inc.
|
| |
This new Worm/Trojan spreads via e-mail messages that contain the text:
Hi [youname]!
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
Bye.
A file called zipped_files.exe is attached to this message, and when ran, the following message is displayed: Cannot open file: it does not appear to be a valid archive. However, the worm will copy itself to the windows system directory (Windows\system on Windows 95/98, or Winnt\system32 or Windows NT) with the filename Explore.exe or _setup.exe.
A new entry in the WIN.INI file (Windows 95/98) or the Registry (Windows NT) will be added, so the worm is executed when Windows starts.
In normal operation, the worm will look in the e-mail client's inbox directory, and whenever an unread message is found, the message is replied with the above e-mail (this is the way the worm spreads).
This worm is destructive: While active, it searches the entire hard-drive for all .h, .c, .cpp, .asm, .doc, .xls and ppt files (this includes Word documents, Excel worksheets, PowerPoint slides, source code files, etc). Whenever a file with that extension is found, its content is deleted, and a zero sized file is left (making restoration of the original file extremely difficult).
How to remove it from your system
Under Windows '95/98, locate the following line in your WIN.INI:
run=C:\WINDOWS\SYSTEM\Explore.exe
or
run=C:\WINDOWS\SYSTEM\_setup.exe
and remove it.
Under Windows NT:
Locate the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
and delete references to Explore.exe or _setup.exe
Now delete the file Explore.exe or _setup.exe from your windows system directory. If the file is currently in use (this means the worm is currently active), reboot first.
|
|
|
|
|
|
|
|
|
|
