exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

worm.explore.zip.analysis.txt

worm.explore.zip.analysis.txt
Posted Aug 17, 1999
Authored by Simple Nomad

Excellent and detailed analysis of the 'Worm.ExploreZip' trojan/worm that is wreaking havoc all over the world at an alarming rate.

tags | exploit, worm, trojan
SHA-256 | 48153de3b1b61f9b37e261a3ec2cabc5593b85b2aa89c9b07e92d902ed94e340

worm.explore.zip.analysis.txt

Change Mirror Download
Date: Thu, 10 Jun 1999 22:30:25 -0500
From: Simple Nomad <thegnome@NMRC.ORG>
To: BUGTRAQ@netspace.org
Subject: Info on Worm.ExploreZip

Info on Worm.ExploreZip:

I'm in the process of cleanup - my day job employer got hit, and we're NT
with no 95/98 to speak of. Here are some interesting tidbits that I
haven't seen on some of the commercial Anti-Virus web sites regarding NT.

Payload:

- The trojan can come into any email client, obviously. If executed, it
will proceed to go active in memory. In other words, you do not need
Outlook for the Payload to activate, just a Win32 machine. A Notes mail
client user probably did the most damage in our environment to network NT
file servers.
- It will have a process running called _setup.exe, zipped_f.exe, and
possibly explore.exe.
- One of our users reported seeing explore.exe running as an application,
although I wasn't able to confirm this.
- It deletes files with *.h, *.c, *.cpp, *.asm, *.doc, *.xls, and *.ppt
extensions on all drives (C through Z) that are currently mapped.
- Every few minutes it will repeat the deletion process. This is
particularly nasty if you are trying to do restores to network drives
while the virus is still active in your environment.

Progation:

- On the Melissa-style method of propagation, it checks the user's Inbox
in Outlook. The Outlook client does not have to be running, as the trojan
uses MAPI calls.
- Propagation is triggered by the arrival of a new message into the
Outlook's Inbox.
- Once triggered, the virus takes the first two names in the header and
uses it to plug into the text of the message. If more than one user name
is in the message header (possible if you are using distribution lists or
role-based mail boxes that forward mail to multiple people) it is possible
the names will not be in the correct order. Also if you use Lastname,
Firstname as a naming convention you will get Lastname, plugged into the
messages.
- It creates the message with the names and attaches the trojan, naming it
zipped_files.exe with the happy message as reported on most Anti-Virus
vendor sites.
- In other words, you send an email to billg@microsoft.com with a subject
of Microsoft Sucks, he's infected and his machine is up and running, you
will get a reply with a subject of Re: Microsoft Sucks with the
attachment. I mean he says he'll get back with you and to read the
attached zipped docs, and you being Joe/Josey corporate user check it out.
False message saying it's a corrupt zip, blah, blah, blah, and now you're
sending out trojans.

We got hit when email was sent to some engineers at Microsoft, and the
reply came back with the trojan. The nature of the email sent to Microsoft
was "where is the info we requested" so it seemed natural that the
attachment was supposed to be a self-extracting zip. That's right,
Microsoft got hit, so I would guess a few source code files and Office
docs were wiped. Hopefully as Microsoft starts the slow process of
restoring Office docs and source code (!) they will discover what the
rest of us have known all along -- the security model is less than ideal
(which is, um, an understatement).

Another interesting note, the APIs that the Exchange Anti-Virus vendors
use to scan Exchange mailstores only scan on messages inbound to the
mailstore. This means that outbound messages are not scanned. We had an
affected machine that replied to messages from the Internet with the
trojan attachment as our Exchange outbound goes straight to a Unix machine
on its way to the Internet. Fortunately we had a process running on the
Unix box to catch inbound and outbound email with the attachments named
zipped_files.exe and it was stopped, but this was why we saw our Exchange
AntiVirus *not* catch the message. Why do the Anti-Virus vendors only use
APIs that catch inbound messages? Because that is all Microsoft has given
them. Most of the vendors have really been pressuring Microsoft to release
info about coding to check for outbound messages.

Final tidbits (sorry if this message isn't very coherent, it's late and
I've been up a long time): the trojan was written using Borland Delphi,
and was possibly compiled on April 14, 1999. Obviously the virus writer
got the idea for the propagation method from Melissa, and one can only
wonder what the next worm/trojan/virus will do.

Simple Nomad //
thegnome@nmrc.org // ....no rest for the Wicca'd....
www.nmrc.org //

----------------------------------------------------------------------------

Date: Thu, 10 Jun 1999 23:58:21 -0400
From: CERT Advisory <cert-advisory@cert.org>
Reply-To: cert-advisory-request@cert.org
To: cert-advisory@coal.cert.org
Subject: CERT Advisory CA-99.06 - ExploreZip Trojan Horse Program

-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-99-06 ExploreZip Trojan Horse Program

Original issue date: Thursday June 10, 1999
Source: CERT/CC

Systems Affected

* Machines running Windows 95, Windows 98, or Windows NT.
* Any mail handling system could experience performance problems or
a denial of service as a result of the propagation of this Trojan
horse program.

Overview

The CERT Coordination Center continues to receive reports and
inquiries regarding various forms of malicious executable files that
are propagated as file attachments in electronic mail.

Most recently, the CERT/CC has received reports of sites affected by
ExploreZip, a Windows Trojan horse program.

I. Description

The CERT/CC has received reports of a Trojan horse program that is
propagating in email attachments. This program is called ExploreZip.
The number and variety of reports we have received indicate that this
has the potential to be a widespread attack affecting a variety of
sites.

Our analysis indicates that this Trojan horse program requires the
victim to run the attached zipped_files.exe program in order install a
copy of itself and enable propagation.

Based on reports we have received, systems running Windows 95, Windows
98, and Windows NT are the target platforms for this Trojan horse
program. It is possible that under some mailer configurations, a user
might automatically open a malicious file received in the form of an
email attachment. This program is not known to exploit any new
vulnerabilities. While the primary transport mechanism of this program
is via email, any way of transferring files can also propagate the
program.

The ExploreZip Trojan horse has been propagated in the form of email
messages containing the file zipped_files.exe as an attachment. The
body of the email message usually appears to come from a known email
correspondent, and may contain the following text:

I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.

The subject line of the message may not be predictable and may appear
to be sent in reply to previous email.

Opening the zipped_files.exe file causes the program to execute. At
this time, there is conflicting information about the exact actions
taken by zipped_files.exe when executed. One possible reason for
conflicting information may be that there are multiple variations of
the program being propagated, although we have not confirmed this one
way or the other. Currently, we have the following general information
on actions taken by the program.

* The program searches local and networked drives (drive letters C
through Z) for specific file types and attempts to erase the
contents of the files, leaving a zero byte file. The targets may
include Microsoft Office files, such as .doc, .xls, and .ppt, and
various source code files, such as .c, .cpp, .h, and .asm.
* The program propagates by replying to any new email that is
received by an infected computer. A copy of zipped_files.exe is
attached to the reply message.
* The program creates an entry in the Windows 95/98 WIN.INI file:
run=C:\WINDOWS\SYSTEM\Explore.exe
On Windows NT systems, an entry is made in the system registry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows]
run = "c:\winnt\system32\explore.exe"
* The program creates a file called explore.exe in the following
locations:
Windows 95/98 - c:\windows\system\explore.exe
Windows NT - c:\winnt\system32\explore.exe
This file is a copy of the zipped_files.exe Trojan horse, and the
file size is 210432 bytes.
MD5 (Explore.exe) = 0e10993050e5ed199e90f7372259e44b

We will update this advisory with more specific information as we are
able to confirm details. Please check the CERT/CC web site for the
current version containing a complete revision history.

II. Impact

* Users who execute the zipped_files.exe Trojan horse will infect
the host system, potentially causing targeted files to be
destroyed.
* Indirectly, this Trojan horse could cause a denial of service on
mail servers. Several large sites have reported performance
problems with their mail servers as a result of the propagation of
this Trojan horse.

III. Solution

Use virus scanners

In order to detect and clean current viruses you must keep your
scanning tools up to date with the latest definition files.

Please see the following anti-virus vendor resources for more
information about the characteristics and removal techniques for the
malicious file known as ExploreZip.

Central Command
http://www.avp.com/upgrade/upgrade.html

Command Software Systems, Inc
http://www.commandcom.com/html/virus/explorezip.html

Computer Associates
http://support.cai.com/Download/virussig.html

Data Fellows
http://www.datafellows.com/news/pr/eng/19990610.htm

McAfee, Inc. (a Network Associates company)
http://www.mcafee.com/viruses/explorezip/protecting_yourself.as
p

Network Associates Incorporated
http://www.avertlabs.com/public/datafiles/valerts/vinfo/va10185
.asp

Sophos, Incorporated
http://www.sophos.com/downloads/ide/index.html#explorez

Symantec
http://www.sarc.com/avcenter/download.html

Trend Micro Incorporated
http://www.antivirus.com/download/pattern.htm

General protection from email Trojan horses and viruses

Some previous examples of malicious files known to have propagated
through electronic mail include
* False upgrade to Internet Explorer - discussed in CA-99-02
http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html
* Melissa macro virus - discussed in CA-99-04
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html
* Happy99.exe Trojan Horse - discussed in IN-99-02
http://www.cert.org/incident_notes/IN-99-02.html
* CIH/Chernobyl virus - discussed in IN-99-03
http://www.cert.org/incident_notes/IN-99-03.html

In each of the above cases, the effects of the malicious file are
activated only when the file in question is executed. Social
engineering is typically employed to trick a recipient into executing
the malicious file. Some of the social engineering techniques we have
seen used include
* Making false claims that a file attachment contains a software
patch or update
* Implying or using entertaining content to entice a user into
executing a malicious file
* Using email delivery techniques which cause the message to appear
to have come from a familiar or trusted source
* Packaging malicious files in deceptively familiar ways (e.g., use
of familiar but deceptive program icons or file names)

The best advice with regard to malicious files is to avoid executing
them in the first place. CERT advisory CA-99-02 discusses Trojan
horses and offers suggestions to avoid them (please see Section V).

http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html

Additional information

Additional sources of virus information are listed at

http://www.cert.org/other_sources/viruses.html
______________________________________________________________________

This document is available from:
http://www.cert.org/advisories/CA-99-06-explorezip.html.
______________________________________________________________________

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from http://www.cert.org/CERT_PGP.key.
If you prefer to use DES, please call the CERT hotline for more
information.

Getting security information

CERT publications and other security information are available from
our web site http://www.cert.org/.

To be added to our mailing list for advisories and bulletins, send
email to cert-advisory-request@cert.org and include SUBSCRIBE
your-email-address in the subject of your message.

Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be
found in http://www.cert.org/legal_stuff.html.

* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office
______________________________________________________________________

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.

Revision History

June 10, 1999: Initial release

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBN2B33nVP+x0t4w7BAQEsGQQAjO8XmCFoS5bE4l3+fDdrd7vUGHn3l1WZ
HyUPO25ddtd50rsyHCTaSuxr9HUuzswm4DI+T80y6nt5i+NTiSIKWjL0Qo8C+9Xn
BsHQqjmRdDrWD/r6+ZHnoekrgNWWM+1Uy8XITOyzfntGA2mGz/DGkyHq4afElZw6
3SLhZ6GPtjA=
=Ja0e
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------

Date: Fri, 11 Jun 1999 15:38:50 +1000
From: Brad Griffin <griffinb@hotkey.net.au>
To: BUGTRAQ@netspace.org
Subject: (Fwd) AVP News for 06/10/1999 - VIRUS ALERT

This was posted by the AVP people (you've all probably seen it)
------- Forwarded Message Follows -------
>From: "News Manager" <newsmgr@avp.com>
Organization: Central Command Inc.
To: avp-news@avp.com
Date sent: Thu, 10 Jun 1999 15:58:28 -0400
Subject: AVP News for 06/10/1999 - VIRUS ALERT
Send reply to: newsmgr@avp.com

AntiViral Toolkit Pro Newsletter for 06/10/1999
===============================================

If you suspect a virus infection you can download a free time limted,
fully functional trial version of AntiViral Toolkit Pro from
http://www.avp.com

VIRUS ALERT - I-Worm.ZippedFiles

AntiViral Toolkit Pro has been updated to detect and remove this
virus.

I-Worm.ZippedFiles

This is a worm virus spreading via Internet. It appears as a
"Zipped_Files.Exe" file attached to email. This file itself is a
Delphi executable files about 210Kb of length. The most part of
file's code is occupied by Delphi run-time libraries, data and
classes, and just about 10Kb of code is "pure" worm code.

Being executed it installs itself into the system, then sends
infected messages (with its attached copy) to addresses using
addresses found in emails in the Inbox. To hide its activity the worm
displays the message:

To install into the system the virus copies itself to Windows
directory with the _SETUP.EXE name and to Windows system directory
with EXPLORE.EXE name, for example:

C:\WINDOWS\_SETUP.EXE
C:\WINDOWS\SYSTEM\EXPLORE.EXE

The worm then registers its copy in the Windows configuration file
WIN.INI to force the system to execute it each time Windows starts
up. To do that the worm writes the instruction "run=" to the
[windows] section there. Depending on the worm "status" and system
conditions there are two possible variants of this instruction, for
example:

run=_setup.exe
run=C:\WINDOWS\SYSTEM\Explore.exe

The worm then stays "memory resident" and is active up to the moment the
system shuts down. The worm's task has no active window and is not visible
in taskbar, but is visible in the task list (Ctrl-Alt- Del) with one of
the names the worm use to name their copies:

Zipped_files
Explore
_setup

The worm does not check its copy already presented in the Windows
memory, and as a result there may be several worm's instances found.

Being active as a Windows application the worm runs four threads of
its main process: installation thread that copies worm files to the
Windows directories and registers them, the Internet spreading thread and
two files destroying threads.

The second (most important) thread sends the email messages using any
email system based on standard MAPI (Messaging Application Program
Interface) - MS Outlook, MS Outlook Express, e.t.c. The worm knocks to the
installed E-mail system four times trying to logon with different MAPI
profiles: default one, Microsoft Outlook, Microsoft Outlook Internet
Settings, Microsoft Exchange.

Being connected to the E-mail the worm monitors all arriving messages - in
endless loop it scans Inbox for messages and reply to them. The reply
message has the same Subject with "Re" prefix, the body of message looks
like follows:

Hi [recipient name]
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.

The message ends with one of two variants of signature:

bye.
sincerely [sender name]

The copy of worm is attached to the message with the
"Zipped_Files.Exe" name.

The worm does not reply on the messages twice and does not reply its own
messages. To detect already affected messages the worm marks them with TAB
character at the end of Subject string. Each time the worm scans Inbox for
messages, it gets Subject field, goes to its end, and skips the message if
TAB is found there. The worm also does not reply all messages in Inbox but
unread messages only.

It is necessary to note that both these conditions (reply unread
messages only and do not reply the same message twice) are optional
in the worm's infection routine. In known worm version both of them
are hardcoded the way described above, but it is possible that the
next worm version will answer all messages in Inbox each time the
worm infection thread gets control.


As a result the things look like follows. When the worm starts for
the first time on the computer, it sends infected messages by using
all unread messages found in the Inbox. It marks them as "affected"
by TAB character and does not affect anymore. When a new message is
received from the Internet and appears in the Inbox, it is
immediately "answered" by worm with the fake text shown above.


The virus has extremely dangerous payload. Each time it is executed, it
runs two more threads that scan directory trees on the local and network
drives, look for .C, .H, .CPP, .ASM, .DOC, .XLS, .PPT (programs' source
and MS Office files) and zeroes them. The worm uses a create-and-close
trick that erases file contents and sets file length to zero. As a result
the files become unrecoverable.

As it is mentioned above, there are two files killing threads. First of
them is active all time the worm copy is active in the system - till the
shutting down. In endless loop it scans all available drives from C: to Z:
and corrupts files that were listed above. The second thread is executed
only once. It enumerates network resources, scans them for the same files
and also destroys them.

------------------------------------------------------
You are receiving this newsletter because you
subscribed to our free newsletter service.

Central Command respects your online time and privacy.
If you would refer not to receive future issues of the
this newsletter you can unsubscribe yourself by
sending a e-mail message to:

majordomo@avp.com

In the body of the message please include the
following text to remove yourself from the mailing
list:

unsubscribe avp-news
-------------------------------------------------------
-
=========================================================
Central Command Inc. AntiViral Toolkit Pro
Antivirus Specialists http://www.avp.com
Complete Internet Virus Protection
Visit the Virus Encyclopedia http://www.avpve.com
=========================================================
Brad Griffin
2nd year BiT
Central Queensland University
Rockhampton QLD
Australia
**********************************
Is there anybody out there?
Join 'Team Hypersurf' in the
search for extra terrestrial
intelligence.
http://setiathome.ssl.berkeley.edu
**********************************

----------------------------------------------------------------------------

Date: Fri, 11 Jun 1999 18:25:24 -0700 (PDT)
From: CIAC Mail User <ciac@rumpole.llnl.gov>
To: ciac-bulletin@rumpole.llnl.gov
Subject: CIAC Bulletin J-047: The ExploreZip Worm

[ For Public Release ]
-----BEGIN PGP SIGNED MESSAGE-----

__________________________________________________________

The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________

INFORMATION BULLETIN

The ExploreZip Worm


June 11, 1999 23:00 GMT Number J-047
______________________________________________________________________________
PROBLEM: A new worm program named zipped_files.exe spreads itself as
an attachment to e-mail messages and destroys document files.
PLATFORM: Windows 95, Windows 98, and Windows NT. Outlook or Exchange
are need to spread.
DAMAGE: The worm sends copies of itself to everyone in your inbox and
destroys files with the extensions: .h, .c, .cpp, .asm, .doc,
.xls, and .ppt.
SOLUTION: Do not automatically run an attached file named
zipped_files.exe even if it appears to have come from a
friend. Update your antivirus software to detect this worm.
______________________________________________________________________________
VULNERABILITY Severe Risk: While this worm does not appear to be spreading
ASSESSMENT: as rapidly as the Melissa virus, the payload can do severe
damage to an organization by deleting all Microsoft Office
documents and computer program source files.
______________________________________________________________________________

The ExploreZip Worm

Introduction
============

CIAC has received reports of the spread of a new worm program called ExploreZip
(alias: W32/ExploreZip.worm, Worm.ExploreZip). The worm spreads in a manner
similar to the W97M.Melissa virus. The worm arrives as an attachment to an e-
mail message. When a user double clicks on that attachment, the worm program
runs and spreads itself by sending replies to all the mail in your inbox with
the worm program as an attachment. Different from the Melissa macro virus, this
is a worm program in that it does not infect other programs or documents. It is
also executable code instead of a macro program so the macro detection
capability in Microsoft Word will not protect you from this worm. The worm has a
payload that destroys Microsoft Office documents and program source code files.

As this is object code (binary) it only runs on INTEL platforms running Windows
95, Windows 98, and Windows NT. It cannot run on Macintosh or other hardware
types and cannot run on earlier versions of windows or on DOS. In order to
spread using e-mail, the worm needs Outlook or Microsoft Exchange. However, the
payload will run and destroy files even if the program cannot spread itself via
e-mail.

Worm Operation
==============
The worm is an executable program named "Zipped_files.exe" that appears to be a
self extracting ZIP archive. It arrives as an attachment to an e-mail message
with the following content:

Hi <recipient>!

I received your email and I shall send you a
reply ASAP.

Til then, take a look at the attached zipped
docs.

bye

The message appears to be a reply to one of your messages. The subject of the
mail message is variable and appears to be a reply to a message from you.

When a user double clicks on the attached worm program, it puts up the following
dialog box that makes the file appear to be a damaged zip archive.

.------------------------------------------------------------------.
| Error X|
|------------------------------------------------------------------|
| |
| X Cannot open file: it does not appear to be a valid archive.|
| If this file is part of a ZIP format backup set, insert |
| the last disk of the backup set and try again. Please |
| press F1 for help. |
| ------------- |
| | OK | |
| ------------- |
- --------------------------------------------------------------------


Pressing F1 does nothing and clicking OK simply closes the dialog box. If WinZip
is installed on the system, it will open with the empty zip file:
Zipped_files.zip, again making it appear to be a damaged zip archive.

As the worm continues executing, it searches the inbox of your mail program and
sends a reply to every message it finds there, adding the message listed above
and attaching the worm program file.

When it has finished sending mail, it stores a copy of itself on your system and
sets that copy to be executed at system startup time. On Windows 95 and Windows
98 systems, it stores a copy of itself in:

c:\windows\system\explore.exe

and places the following line in the win.ini file to restart the worm every time
you run Windows.

run=C:\WINDOWS\System\Explore.exe

If your active windows directory is not C:\WINDOWS, replace C:\WINDOWS in the
command and file location above with the path to your active Windows directory.

On Windows NT systems, it stores copies of itself in:

c:\winnt\system32\explore.exe
c:\winnt\_setup.exe

If your active Windows NT directory is not c:\winnt, replace c:\winnt in the
file locations above with the path to your active Windows NT directory.

The worm then changes the value of the following registry key to "_setup.exe",
which runs the _setup.exe program at startup.

HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\
CurrentVersion\Windows\run

After installing itself, the worm runs its payload. The payload searches your
lettered hard disk drives (C: through Z:) for programming source code files with
the extensions:

.h .c .cpp .asm

(C header files, C programs, C++ programs, and assembly language programs) and
Microsoft Office documents with the extensions:

.doc .xls .ppt

(Word documents, Excel documents, and PowerPoint documents) and changes them to
a zero length file, making them nearly impossible to recover. You might be able
to recover parts of a file using a disk editor but that would be a difficult and
time consuming process.

Detecting An Infection
======================

Infections with ExploreZip are easy to detect. Press Ctrl-Alt-Del and open the
Task Manager as shown here. On Windows NT, press Ctrl-Alt-Del, click the Task
Manager button, and then choose the Processes tab. The dialog box shown by
Windows NT is slightly different from that shown here but has the same function.
.-----------------------------------------------------------.
| Close Program ? X|
|-----------------------------------------------------------|
| -----------------------------------------------------| |
| |Exploring-temp | |
| |Explorer | |
| |Zipped_file | |
| |Osa | |
| |Systray | |
| |Navapw32 | |
| |Winzip32 | |
| | | |
| | | |
| -----------------------------------------------------| |
| WARNING: Pressing CTRL-ALT-DEL again will restart your |
| computer. You will lose unsaved information in all |
| programs that are running. |
| |
| -------------- --------------- ------------ |
| | End Task | | Shut Down | | Cancel | |
| -------------- --------------- ------------ |
- -------------------------------------------------------------


Note the task named Zipped_file (Zipped_files.ex on Windows NT). This is the
running worm program. To stop it, select Zipped_file (or Zipped_files.ex) and
click End Task. If you have restarted your system since the infection, you will
see the process Explore (_setup.exe on Windows NT) instead of Zipped_file.
Again, to stop that process, select it and click End Task. Do not confuse the
task Explore with the task Explorer as they are different. The Explorer task is
the Windows explorer program.

Removing An Infection
=====================

The easiest way to eliminate the worm from your system is to use an updated
antivirus package. However, to do it by hand, perform these steps:

1. Press Ctrl-Alt-Del to open the task manager.

2. Select the Zipped_file or Explore (Zipped_files.ex or _setup.exe for Windows
NT) process (whichever is running) and click End Task

3. Delete all copies of zipped_file.exe from your system. These will be in the
download or attachments directory of your mail program.

4. Delete the file c:\windows\system\explore.exe or for Windows NT, delete
c:\winnt\system32\explore.exe and c:\winnt\_setup.exe.

5. Edit c:\windows\win.ini and remove the line
run=c:\windows\system\explore.exe

Or in Windows NT, run Regedit.exe and delete the value of the key:
HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\
CurrentVersion\Windows\run

Protection
==========

Most antivirus vendors already have detection and removal capabilities available
for this worm and we expect the others to have them soon. Of the vendors that
have a solution available, you may need to download it from their web pages and
not depend on the automatic update features of the product. We expect the
automatic update features to have this worm definition soon.

The following vendors have solutions now:

Symantec (NAV)
http://www.symantec.com/avcenter/venc/data/worm.explore.zip.html

Network Associates (McAfee)
http://vil.mcafee.com/vil/vpe10183.asp

DataFellows (F-PROT)
http://www.datafellows.com/v-descs/zipped.htm

Trend
http://www.antivirus.com/vinfo/alerts.htm

All users are cautioned to think before double clicking on a file included as an
attachment to any e-mail message, even if that message appears to come from a
friend. If that attachment is a Microsoft Office document and you have macro
detection turned on, then you can double click the attachment and the macro
detection capability will stop the document from loading if it contains a macro
program. It will then give you the choice to enable or disable the macros.
Remember, disable macros unless you are expecting to receive them.

If the attachment is an executable program, scan it with your antivirus utility
before running it. If it passes the antivirus scan, you might still want to
reconsider running it if it comes from someone you do not know or is an
unexpected delivery from someone you do know. Call the person up on the phone
(don't send them e-mail) and ask him if he sent you an executable before running
the file. If you send him an e-mail and he is infected with this worm, you will
likely receive a reply (from the worm) saying "take a look at the attached
zipped docs".

If the file is a self extracting archive, open it with the archive program (for
example, WinZip) instead of running the archive itself. You can still get the
files out of the archive but without running the executable part (the self
extractor) of the archive file.
______________________________________________________________________________
Thanks to Symantec and Network Associates for their early warning and analysis
of this worm.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), use one of the following methods to contact CIAC:

1. Call the CIAC voice number 925-422-8193 and leave a message, or

2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or

3. Send e-mail to 4498369@skytel.com, or

4. Call 800-201-9288 for the CIAC Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

World Wide Web: http://www.ciac.org/
(or http://ciac.llnl.gov)
Anonymous FTP: ftp.ciac.org
(or ciac.llnl.gov)
Modem access: +1 (925) 423-4753 (28.8K baud)
+1 (925) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:

E-mail to ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov:
subscribe list-name
e.g., subscribe ciac-bulletin

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email. This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

J-036: LDAP Buffer overflow against Microsoft Directory Services
J-037: W97M.Melissa Word Macro Virus
J-038: HP-UX Vulnerabilities (hpterm, ftp)
J-039: HP-UX Vulnerabilities (MC/ServiceGuard & MC/LockManager, DES
J-040: HP-UX Security Vulnerability in sendmail
J-041: Cisco IOS(R) Software Input Access List Leakage with NAT
J-042: Web Security
J-043: (bulletin in process)
J-044: Tru64/Digital UNIX (dtlogin) Security Vulnerability
J-045: Vulnerability in statd exposes vulnerability in automountd
J-046: HP-UX VVOS NES Vulnerability


-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBN2G1vLnzJzdsy3QZAQFjjgQA7vSRm+LAIrtr1Q7PgLaePYfe3Ezjm0La
A3B7PbRZMBTXe7e36oz0bBWXrQyP6aDDZosdHRsF3vUb04azUXvgh1fLgTFKACZm
ePBuhrYLMehXmyqoOg657RspMGUBgPrxp9czgT5OGjnlkJtfcQmqkxG5vAfLJCO1
SRYPusNb4sw=
=E5Pv
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------

Date: Mon, 14 Jun 1999 07:21:34 -0400
From: CERT Advisory <cert-advisory@cert.org>
Reply-To: cert-advisory-request@cert.org
To: cert-advisory@coal.cert.org
Subject: CERT Advisory CA-99.06 - New information regarding ExploreZip

-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-99-06-explorezip

Original issue date: Thursday June 10, 1999
Last Revised Date: June 14, 1999
Added information about the program's self-propagation via networked
shares; also updated anti-virus vendor URLs.

Source: CERT/CC

Note: The CERT Coordination Center has discovered new information
regarding the ExploreZip worm. This re-issue of CERT Advisory CA-99-06
contains new information regarding an additional means by which the
Worm can spread, and a caution about disinfecting your systems. We
will continue to update this advisory as new information is
discovered. We encourage you to check our web site frequently for any
new information.

Systems Affected

* Machines running Windows 95, Windows 98, or Windows NT.
* Machines with filesystems and/or shares that are writable by a
user of an infected system.
* Any mail handling system could experience performance problems or
a denial of service as a result of the propagation of this Trojan
horse program.

Overview

The CERT Coordination Center continues to receive reports and
inquiries regarding various forms of malicious executable files that
are propagated as file attachments in electronic mail.

During the second week of June 1999, the CERT/CC began receiving
reports of sites affected by ExploreZip, a Trojan horse/worm program
that affects Windows systems and has propagated in email attachments.
The number and variety of reports we have received indicate that this
has the potential to be a widespread attack affecting a variety of
sites.

I. Description

Our original analysis indicated that the ExploreZip program is a
Trojan horse, since it initially requires a victim to open or run an
email attachment in order for the program to install a copy of itself
and enable further propagation. Further analysis has shown that, once
installed, the program may also behave as a worm, and it may be able
to propagate itself, without any human interaction, to other networked
machines that have certain writable shares.

The ExploreZip Trojan horse has been propagated between users in the
form of email messages containing an attached file named
zipped_files.exe. Some email programs may display this attachment
with a "WinZip" icon. The body of the email message usually appears to
come from a known email correspondent, and typically contains the
following text:

I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.

The subject line of the message may not be predictable and may appear
to be sent in reply to previous email.

Opening the zipped_files.exe file causes the program to execute. It is
possible under some mailer configurations that a user might
automatically open a malicious file received in the form of an email
attachment. When the program is run, an error message is displayed:

Cannot open file: it does not appear to be a valid archive. If this
file is part of a ZIP format backup set, insert the last disk
of the backup set and try again. Please press F1 for help.

Destruction of files

* The program searches local and networked drives (drive letters C
through Z) for specific file types and attempts to erase the
contents of the files, leaving a zero byte file. The targets may
include Microsoft Office files, such as .doc, .xls, and .ppt, and
various source code files, such as .c, .cpp, .h, and .asm.
* The program may also be able to delete files that are writable to
it via SMB/CIFS file sharing. The program appears to look through
the network neighborhood and delete any files that are shared and
writable, even if those shares are not mapped to networked drives
on the infected computer.
* The program appears to continually delete the contents of targeted
files on any mapped networked drives.
The program does not appear to delete files with the "hidden" or
"system" attribute, regardless of their extension.

System modifications

* The zipped_files.exe program creates a copy of itself in a file
called explore.exe in the following location(s):

On Windows 98 - C:\WINDOWS\SYSTEM\Explore.exe
On Windows NT - C:\WINNT\System32\Explore.exe

This explore.exe file is an identical copy of the zipped_files.exe
Trojan horse, and the file size is 210432 bytes.
MD5 (Explore.exe) = 0e10993050e5ed199e90f7372259e44b
* On Windows 98 systems, the zipped_files.exe program creates an
entry in the WIN.INI file:

run=C:\WINDOWS\SYSTEM\Explore.exe

On Windows NT systems, an entry is made in the system registry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows]
run = "C:\WINNT\System32\Explore.exe"

Propagation via file sharing

Once explore.exe is running, it takes the following steps to propagate
to other systems via file sharing:

* Each time the program is executed, the program will search the
network for all shares that contain a WIN.INI file with a valid
"[windows]" section in the file.
* For each such share that it finds, the program will attempt to
+ copy itself to a file named _setup.exe on that share
+ modify the WIN.INI file on that share by adding the entry
"run=_setup.exe"
The account running the program on the original infected machine
needs to have permission to write to the second victim's shared
directory. (That is, no vulnerabilities are being exploited in
order for the program to spread in this manner.)
The _setup.exe file is identical to the zipped_files.exe and
explore.exe files on the original infected machine.
* The original infected system will continue to scan shares that
have been mapped to a local drive letter containing a valid
WIN.INI file. For each such share that is found, the program will
"re-infect" the victim system as described above.

On Windows 98 systems that have a "run=_setup.exe" entry in the
WIN.INI file (as described previously), the C:\WINDOWS\_setup.exe
program is executed automatically whenever a user logs in. On Windows
NT systems, a "run=_setup.exe" entry in the WIN.INI file does not
appear to cause the program to be executed automatically.

When run as _setup.exe, the program will attempt to

* make another copy of itself in C:\WINDOWS\SYSTEM\Explore.exe
* modify the WIN.INI file again by replacing the "run=_setup.exe"
entry with "run=C:\WINDOWS\SYSTEM\Explore.exe"

Note that when the program is run as _setup.exe, it configures the
system to later run as explore.exe. But when run as explore.exe, it
attempts to infect shares with valid WIN.INI files by configuring
those files to run _setup.exe. Since this infection process includes
local shares, affected systems may exhibit a "ping pong" behavior in
which the infected host alternates between the two states.

Propagation via email

The program propagates by replying to any new email that is received
by the infected computer. The reply messages are similar to the
original email described above, each containing another copy of the
zipped_files.exe attachment.

We will continue to update this advisory with more specific
information as we are able to confirm details. Please check the
CERT/CC web site for the current version containing a complete
revision history.

II. Impact

* Users who execute the zipped_files.exe Trojan horse will infect
the host system, potentially causing targeted files to be
destroyed.
* Users who execute the Trojan horse may also infect other networked
systems that have writable shares.
* Because of the large amount of network traffic generated by
infected machines, network performance may suffer.
* Indirectly, this Trojan horse could cause a denial of service on
mail servers. Several large sites have reported performance
problems with their mail servers as a result of the propagation of
this Trojan horse.

III. Solution

Use virus scanners

While many anti-virus products are able to detect and remove the
executables locally, because of the continuous re-infection process,
simply removing all copies of the program from an infected system may
leave your system open to re-infection at a later time, perhaps
immediately. To prevent re-infection, you must not serve any shares
containing a WIN.INI file to any potentially infected machines. If you
share files with everyone in your domain, then you must disable shares
with WIN.INI files until every machine on your network has been
disinfected.

In order to detect and clean current viruses, you must keep your
scanning tools up to date with the latest definition files. Please see
the following anti-virus vendor resources for more information about
the characteristics and removal techniques for the malicious file
known as ExploreZip.

Aladdin Knowledge Systems, Inc.
http://www.esafe.com/vcenter/explore.html

Central Command
http://www.avp.com/zippedfiles/zippedfiles.html

Command Software Systems, Inc
http://www.commandcom.com/html/virus/explorezip.html

Computer Associates
http://www.cai.com/virusinfo/virusalert.htm

Data Fellows
http://www.datafellows.com/news/pr/eng/19990610.htm

McAfee, Inc. (a Network Associates company)
http://www.mcafee.com/viruses/explorezip/default.asp

Network Associates Incorporated
http://www.avertlabs.com/public/datafiles/valerts/vinfo/va10185
.asp

Sophos, Incorporated
http://www.sophos.com/downloads/ide/index.html#explorez

Symantec
http://www.symantec.com/avcenter/venc/data/worm.explore.zip.htm
l

Trend Micro Incorporated
http://www.antivirus.com/vinfo/alerts.htm

Additional sources of virus information are listed at

http://www.cert.org/other_sources/viruses.html

Additional suggestions

* Blocking Netbios traffic at your network border may help prevent
propagation via shares from outside your network perimeter.
* Disable file serving on workstations. You will not be able to
share your files with other computers, but you will be able to
browse and get files from servers. This will prevent your
workstation from being infected via file sharing propagation.
* Maintain a regular, off-line, backup cycle.

General protection from email Trojan horses and viruses

Some previous examples of malicious files known to have propagated
through electronic mail include
* False upgrade to Internet Explorer - discussed in CA-99-02
http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html
* Melissa macro virus - discussed in CA-99-04
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html
* Happy99.exe Trojan Horse - discussed in IN-99-02
http://www.cert.org/incident_notes/IN-99-02.html
* CIH/Chernobyl virus - discussed in IN-99-03
http://www.cert.org/incident_notes/IN-99-03.html

In each of the above cases, the effects of the malicious file are
activated only when the file in question is executed. Social
engineering is typically employed to trick a recipient into executing
the malicious file. Some of the social engineering techniques we have
seen used include
* Making false claims that a file attachment contains a software
patch or update
* Implying or using entertaining content to entice a user into
executing a malicious file
* Using email delivery techniques which cause the message to appear
to have come from a familiar or trusted source
* Packaging malicious files in deceptively familiar ways (e.g., use
of familiar but deceptive program icons or file names)

The best advice with regard to malicious files is to avoid executing
them in the first place. CERT advisory CA-99-02 discusses Trojan
horses and offers suggestions to avoid them (please see Section V).

http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html
______________________________________________________________________

This document is available from:
http://www.cert.org/advisories/CA-99-06-explorezip.html.
______________________________________________________________________

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from http://www.cert.org/CERT_PGP.key.
If you prefer to use DES, please call the CERT hotline for more
information.

Getting security information

CERT publications and other security information are available from
our web site http://www.cert.org/.

To be added to our mailing list for advisories and bulletins, send
email to cert-advisory-request@cert.org and include SUBSCRIBE
your-email-address in the subject of your message.

Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be
found in http://www.cert.org/legal_stuff.html.

* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office
______________________________________________________________________

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
Revision History

June 10, 1999: Initial release
June 11, 1999: Added information about the appearance of the attached file
Added information from Aladdin Knowledge Systems, Inc.
June 14, 1999: Added information about the program's self-propagation via
networked shares; also updated anti-virus vendor URLs

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBN2TZfHVP+x0t4w7BAQF7HAP/c7MLHxFQ2M9XXK5qweZISimvGdsdr6cn
rd+S+QKsVPxKX64LikccAW8pu7d38nqNcMUhWDCge0k4eZmKWrN5uh4/znCV8ETE
2pttxe4t0Slo8B9r2Es5LafIWInfZGuDRHRYIuWyrPe9ReEtUrKx52/1DSu7ZTO9
esjkyG7T22o=
=+n1t
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close