SUBJECT: NATIONAL INFRASTRUCTURE PROTECTION CENTER INFORMATION SYSTEM ALERT (NIPC ALERT 99-028); W32/EXPLOREZIP.WORM.PAK 1. VARIOUS SOURCES, INCLUDING SEVERAL COMMERCIAL ANTI-VIRUS SOFTWARE PROVIDERS, ARE REPORTING AN OUTBREAK OF A NEW, HIGH-RISK VARIANT OF THE W32/EXPLOREZIP.WORM (SEE NIPC ADVISORY 99-013 DATED 6/10/99). THE NEW VARIANT IS CALLED W32/EXPLOREZIP.WORM.PAK, OR WORM.EXPLOREZIP(PACK), CONTAINS THE SAME DESTRUCTIVE PAYLOAD FOUND IN THE ORIGINAL EXPLOREZIP.WORM, AND USES A COMMERCIAL COMPRESSION FORMAT CALLED "NEOLITE" WHICH MAY NOT BE RECOGNIZED BY SOME ANTI-VIRUS SOFTWARE. 2. SEVERAL FORTUNE 500 COMPANIES IN THE UNITED STATES ARE REPORTEDLY INFECTED WITH THIS NEW STRAIN OF THE EXPLOREZIP WORM; THE POTENTIAL FOR FURTHER INFECTION IS SIGNIFICANT. 3. W32/EXPLOREZIP.WORM.PAK CHARACTERISTICS: A. THE BEHAVIOR OF W32/EXPLOREZIP.WORM.PAK IS IDENTICAL TO THE ORIGINAL EXPLOREZIP.WORM. HOWEVER, DUE TO THE DIFFERENT FILE COMPRESSION TECHNIQUE, THE FILE IS 40% SHORTER THAN THE ORIGINAL AND DOES NOT NEED MANUAL DECOMPRESSION TO EXECUTE. B. W32/EXPLOREZIP.WORM.PAK PROPAGATES IN THE SAME MANNER AS THE ORIGINAL EXPLOREZIP.WORM. THE E-MAIL CONTAINING THE WORM WILL HAVE THE CONTENT, "I RECEIVED YOUR EMAIL AND I SHALL SEND YOU A REPLY ASAP. TILL THEN, TAKE A LOOK AT THE ATTACHED ZIPPED DOCS." A FILE NAMED "ZIPPED_FILES.EXE" WILL BE ATTACHED TO THE E-MAIL. THE WORM USES MAPI-CAPABLE E-MAIL PROGRAMS ON MICROSOFT WINDOWS SYSTEMS TO PROPAGATE. C. WHEN THE ATTACHMENT IS EXECUTED, IT GENERATES A FALSE ERROR MESSAGE, COPIES ITSELF TO THE C:\WINDOWS\SYSTEMS DIRECTORY WITH THE FILENAME EXPLORE.EXE, AND MODIFIES THE WIN.INI FILE TO EXECUTE EACH TIME WINDOWS IS STARTED. THE WORM THEN PROPAGATES ITSELF TO E-MAIL ADDRESSES IN A USER'S E-MAIL PROGRAM. THE WORM WILL SEARCH FOR REMOTE MACHINES WHERE THE INFECTED USER HAS WRITE PERMISSION AND WILL INSTALL ITSELF ON THOSE MACHINES. D. THE PAYLOAD OF W32/EXPLOREZIP.WORM.PAK IS DESTRUCTIVE. THE WORM SEARCHES ALL INSTALLED DRIVES FROM C: THROUGH Z:, INCLUDING NETWORK DRIVES, AND ZEROES THE FILE SIZE OF ALL FILES WITH EXTENSIONS *.C, *.H, *.CPP, *.ASM, *.DOC, *.PPT, OR *.XLS. THIS PROCEDURE RENDERS THOSE FILES UNUSABLE AND POSSIBLY UNRECOVERABLE. THE PAYLOAD RE-EXECUTES EVERY 30 MINUTES. 4. DETECTION A. THE INITIAL SYMPTOMS OF INFECTION ARE LIKELY TO BE EITHER A LOSS OF FILES AS DESCRIBED ABOVE, OR A LARGE NUMBER OF E-MAILS BEING SENT FROM A USER'S COMPUTER. B. INFECTION OF WIN95/98 SYSTEMS CAN BE CONFIRMED BY THE PRESENCE OF THE FILE C:\WINDOWS\SYSTEM\EXPLORE.EXE AND AN ENTRY OF "RUN=_SETUP.EXE" OR "RUN=C:\WINDOWS\SYSTEM\EXPLORE.EXE" IN THE WIN.INI FILE. C. INFECTION OF A WIN NT SYSTEM CAN BE CONFIRMED BY THE PRESENCE OF THE FILE _SETUP.EXE IN THE WINNT DIRECTORY AND THE ENTRY "RUN=_SETUP.EXE" IN THE WIN.INI FILE OF THE WINNT DIRECTORY. 5. REMOVAL (WIN 95/98). NOTE: AN AUTOMATED REMOVAL TOOL IS AVAILABLE AT THE WEB SITE OF NETWORK ASSOCIATES, INC. ([1]WWW.NAI.COM) A. REMOVE THE LINE "RUN=C:\WINDOWS\SYSTEM\EXPLORE.EXE" OR "RUN=C:\WINDOWS\SYSTEM\_SETUP.EXE" FROM THE WIN.INI FILE. B. REBOOT THE COMPUTER IN MSDOS MODE. THIS ACTION PURGES THE WORM FROM MEMORY. C. ONCE IN DOS MODE, TYPE THE COMMAND "EXIT" TO RETURN TO WINDOWS. D. REMOVE ALL OCCURRENCES OF EXPLORE.EXE FROM THE SYSTEM E. REPEAT STEP D FOR FILES NAMED _SETUP.EXE AND ZIPPED_FILES.EXE. 6. REMOVAL (WIN NT). NOTE: AN AUTOMATED REMOVAL TOOL IS AVAILABLE AT THE WEB SITE OF NETWORK ASSOCIATES, INC. ([2]WWW.NAI.COM) A. RUN THE WINNT REGISTRY EDITOR. B. LOCATE THE HIVE [HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWSNT\CURRENTVERSION\WINDOWS ] C. DELETE THE KEY RUN=C:\WINNT\SYSTEM32\EXPLORE.EXE. D. EDIT WIN.INI AND REMOVE EITHER OF THESE LINES RUN=C:\WINNT\SYSTEM32\EXPLORE.EXE RUN=C:\WINNT\_SETUP.EXE E. RESTART WINDOWS NT F. PROCEED WITH STEPS D AND E OF PARAGRAPH 6 ABOVE. 7. ADDITIONAL INFORMATION ABOUT THIS WORM IS AVAILABLE AT THE WEB SITES OF SYMANTEC ([3]WWW.SYMANTEC.COM/AVCENTER), NETWORK ASSOCIATES ([4]WWW.NAI.COM), AND TREND MICRO ([5]WWW.ANTIVIRUS.COM) 8. ACTION REQUESTED: SYSTEM ADMINISTRATORS ARE ADVISED TO UPDATE INSTALLED ANTI-VIRUS SOFTWARE IMMEDIATELY AND TAKE OTHER APPROPRIATE MEASURES TO PREVENT INFECTION BY AND SPREAD OF W32/EXPLOREZIP.WORM.PAK. NIPC RECOMMENDS WIDEST POSSIBLE DISSEMINATION OF THIS ADVISORY THROUGHOUT GOVERNMENT, MILITARY, AND PRIVATE ORGANIZATIONS. PLEASE REPORT ANY INFORMATION ON AND DAMAGE FROM INFECTIONS BY THIS WORM TO YOUR LOCAL FBI OFFICE, THE NIPC, OR CIVILIAN INCIDENT RESPONSE GROUP, AS APPROPRIATE. THE NIPC WATCH AND WARNING UNIT CAN BE REACHED 24 HOURS A DAY AT (202) 323-3204/3205/3206 OR (202) 323-2204/2206 (STU-III) OR BY E-MAIL AT NIPC.WATCH@FBI.GOV [6]Back to Advisories, Alerts and Warnings References 1. http://www.nai.com/ 2. http://www.nai.com/ 3. http://www.symantec.com/avcenter 4. http://www.nai.com/ 5. http://www.antivirus.com/ 6. http://www.fbi.gov/nipc/nipcaaw.htm