Microsoft Knowledge Base Email Alertz
All KB/RSS Links  |  Hot Kb!  |  New Kb!  |  Scott Cate  |  FAQ / KB  |  Web Hosting  |  Unsubscribe  

(234937) - Worm.Explore.Zip is a worm or Trojan horse that uses Messaging Application Program Interface (MAPI) capable e-mail programs on Windows-based computers to propagate itself.

Search KbAlertz

Advanced Search

Receive Microsoft Knowledge Base articles by E-Mail?

Every night we scan the Microsoft Knowledge Base. If technologies you're interested in are updated, we'll send you an e-mail. You only get one e-mail a day, and only when new articles are added.
Click here to create a
FREE account
Already have an account?
[Click here to Login]











Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks
Article ID: 234937 - Last Review: May 5, 2011 - Revision: 6.4

Worm.Explore.Zip Virus Alert

Retired KB ArticleRetired KB Content Disclaimer
View products that this article applies to.
System TipThis article applies to a different version of Windows than the one you are using. Content in this article may not be relevant to you. Visit the Windows Vista Solution Center
This article was previously published under Q234937
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986  (http://kbalertz.com/Feedback.aspx?kbNumber=256986/EN-US/ ) Description of the Microsoft Windows Registry

On This Page

SUMMARY

Worm.Explore.Zip is a worm or Trojan horse that uses Messaging Application Program Interface (MAPI) capable e-mail programs on Windows-based computers to propagate itself.
Back to the top

MORE INFORMATION

The worm uses MAPI commands to propagate itself. An e-mail message is created with the worm as an attachment using the Zipped_files.exe filename. The body of the e-mail message may appear to come from a known e-mail correspondent and may contain the following text:
Hi Recipient Name !
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
Sincerely
Name.
The worm determines who to send mail to and what names to use based on the contents of the user's Inbox. You should delete any mail containing an attachment with the name "Zipped_files.exe" without opening the attachment.

If you run the attachment, you may receive the following error message:
Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help.
Explore.Zip copies itself to the C:\%SystemRoot%\System folder with the filename Explore.exe and then modifies the Win.ini file to run itself each time Windows is started. The worm then uses your e-mail client to collect e-mail addresses to propagate itself.

Additionally, Explore.Zip also searches all local and network mapped drives of your computer and arbitrarily selects a series of files to destroy by setting the file size to 0 bytes. This can result in data loss.

Normal methods of virus protection should be employed to protect your environment from this virus. Virus scanning programs should be updated with the latest signature files and any other appropriate steps to prevent the virus from entering your environment should be employed. Specific questions regarding your virus software's ability to detect and clean this virus should be directed to your Anti-Virus software vendor. To remove the worm virus on the client side, perform the following steps:
Back to the top

For Windows 95 or Windows 98

  1. Using a standard text editor such as Notepad, edit the Win.ini file, and delete the following lines:
    Run = c:\windows\system\explore.exe
    Run = c:\windows\system\_setup.exe
  2. Save the file, exit the text editor, and then restart the computer.
  3. Delete the files:
    C:\Windows\System\Explore.exe
    C:\Windows\System\_setup.exe
    NOTE: It is possible that _setup.exe may not be found on all infected systems.
  4. Check Task Manager for Zipped-file.exe, and use End Task on it to end it if listed.
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
Back to the top

For Windows NT

  1. The virus may be getting loaded from the following location:
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
    Use Regedt32.exe to delete data values under this key called Explore.exe or _setup.exe.
  2. Run Windows NT Task Manager and select the Processes tab. End processes called Zipped_f.exe, _setup.exe, or Zipped_files.exe.
  3. In the C:\Winnt\System32 directory, delete the Explore.exe and/or _setup.exe files.
  4. Reboot the system.
  5. As an added precaution, use End Task, and delete all Zipped*.exe and _setup.exe files from all hard disks on the computer. Note that in the Windows NT Task Manager, they may show up as processes and not applications.
Back to the top

Outlook Attachment Security Patch

For additional information about Outlook and security for e-mail attachments, please see the following article in the Microsoft Knowledge Base:
235309  (http://kbalertz.com/Feedback.aspx?kbNumber=235309/EN-US/ ) Outlook E-mail Attachment Security Update
The following sites contain additional information on the ExploreZip worm:
Symantec: http://www.symantec.com/ (http://www.symantec.com/)

Network Associates, Inc.: http://www.nai.com/ (http://www.nai.com/)

Trend Micro: http://us.trendmicro.com/us/home/ (http://us.trendmicro.com/us/home/)
Back to the top
APPLIES TO
  • Microsoft Outlook 2000 Standard Edition, when used with:
    • Microsoft Windows 98 Standard Edition
  • Microsoft Windows NT Workstation 4.0 Developer Edition
  • Microsoft Windows NT Server 4.0 Standard Edition
  • Microsoft Windows NT Server 4.0 Enterprise Edition
  • Microsoft BackOffice Server 4.0
  • Microsoft BackOffice Small Business Server 4.5
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 95
  • Microsoft Exchange Server 5.5 Standard Edition
Back to the top
Keywords: 
kbenv kbinfo kbnetwork KB234937
Back to the top
Retired KB ArticleRetired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
Back to the top
        

Community Feedback System

Very often, it takes hours to solve a problem. Very often, you've looked high and low, and have tried a lot of solutions. When you finally found it, chances are, it was because someone else helped you. Here's your chance to give back. Use our community feedback tool to let others know what worked for you and what didn't.

Please also understand that the community feedback system is not warranted to be correct, it's simply a system that we've built to let people try and help each other. If something in a feedback response doesn't make sense to you, or you're not comfortable making changes that the feedback talks about (like registry edits), please consult a professional.

Thank you for using kbAlertz.com Feedback System.

-- Scott Cate

Copyright © 2002-2007 KBALERTZ.COM.  All Rights Reserved. Terms / PrivacyDiscount ASP.NET Hosting