A. A new virus was discovered on 10/06/1999 with the following text in
as the body:
"I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs."
The subject line is not constant as the message is a reply. The worm (named
"zipped_files.exe") is attached, with a file size of 210,432 bytes.
The file has a Winzip icon which is designed to fool unsuspecting users to run
it as a self-extracting file. User who run this attachment will be presented
with a fake error message that says
"Cannot open file: it does not appear to be a valid archive. If this file
is part of a ZIP format backup set, insert the last disk of the backup set and
try again. Please press F1 for help."
The virus then searches for the following files and replaces them with 0 block
files:
.c
.cpp
.h
.asm
.doc
.xls
.ppt
Check you anti-virus software sites for a fix, http://www.nai.com has one. To manually repair:
-
Remove the line run=C:\WINDOWS\SYSTEM\Explore.exe from the WIN.INI file
-
Edit the registry (using regedit.exe or regedt32.exe) and check the value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\run does not call explore.exe. If it does clear the value.
-
Delete the file "C:\WINDOWS\SYSTEM\EXPLORE.EXE". You may need to reboot first,
if the file is currently in use (or stop the process using task manager).
I've had first hand experience and it is VERY nasty. There are two variants are named TROJ_EXPLORE.ZIP and I-Worm.ZippedFiles.