For the past 2 days, an ugly virus named ExploreZip has been destroying the contents of hard drives all over the world. The virus comes to you as a response to email you send to an infected system. It's an auto-response to your message, and it uses the same text in the subject line that you used when you sent your own message. This, of course, makes the message look safe. The message body looks like this:
Hi !
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
bye.
The attached file is named "zipped_files.exe". It has the icon you see for files that have been compressed with WinZip. Do NOT click on it. Clicking on the file's icon produces a vaguely worded error message, but the virus program launches and performs the following damage:
- Sets the length of application data files to zero. The targeted data files are those with the extension .doc, .xls, and .ppt (Microsoft Word, Excel, and PowerPoint).
- Sets the length of programming data files to zero. The targeted file extensions are .asm, .c, .cpp, and .h.
If you're running Microsoft Outlook, the program sends the virus to anyone who sends you email. The outgoing virus-infected message has the same subject line as the mail you receive. Your recipients are certainly going to think that the message from you is legitimate.
REMEDY:
Update your virus software immediately. All vendors now have data files for this virus. Then scan your system.
The virus adds a file named Explore.exe to your \windows\system folder. It then modifies the win.ini file in Windows 9X, and modifies the Registry in Windows NT. This means that even if you scan for the virus and get rid of it, it launches again on bootup.
Here's what to do after you've used your anti-virus software:
For Windows 9X:
Boot to MS-DOS
Delete \Windows\System\Explore.exe
Edit Win.ini to remove the line "Run=c:\Windows\System\Explore.exe
For Windows NT
Delete \Windows\System\Explore.exe
Run REGEDIT (do not use REGEDT32) and go to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows and remove the key named "Run=C:\Windows\System\Explore.exe.
If you run Exchange Server, use your virus detection software for Exchange Server to clean up the server (if you don't have one, McAfee has a VirusScan program that runs at the command line, and other vendors probably offer Exchange Server virus protection too).
Although the antivirus program removes the infection from current email attachments, previously infected email messages will be sent to recipients. However, the virus attachment has a size of zero bytes and is disabled. You might want to send email to recipients (or call them) to apprise them of that fact. Be sure to stress the fact that they should delete the attachment anyway.
