• Machines running Windows 95, Windows 98, or Windows NT.
• Any mail handling system could experience performance problems or a denial of service as a result of the propagation of this Trojan horse program.

II. Description
This trojan horse program is mostly propagated through e-mail attachments and ICQ file transfers. This program is called ExploreZip. The number and variety of reports indicate that this has the potential to be a widespread attack affecting a variety of sites and machines.

This Trojan horse program requires the victim to run the attached zipped_files.exe program in order install a copy of itself and enable propagation.

Systems running Windows 95, Windows 98, and Windows NT are the target platforms for this Trojan horse program. It is possible that under some mailer configurations, a user might automatically open a malicious file received in the form of an e-mail attachment. This trojan is not known to exploit any new vulnerabilities. While the primary transport mechanism of this trojan is via e-mail, any way of transferring files like downloads can also propagate this trojan.

The ExploreZip Trojan horse has been propagated in the form of e-mail messages containing the file zipped_files.exe as an attachment.

Further analysis has shown that, once installed, the program may also behave as a worm, and it may be able to propagate itself, without any human interaction, to other networked machines that have certain writable shares. The ExploreZip Trojan horse has been propagated between users in the form of e-mail messages containing an attached file named zipped_files.exe. Some e-mail programs may display this attachment with a "WinZip " icon.

The body of the e-mail message usually appears to come from a known e-mail correspondent, and typically contains the following text:The body of the e-mail message usually appears to come from a known e-mail correspondent, and may contain the following text:

I received your e-mail and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs.

The subject line of the message may not be predictable and may appear to be sent in reply to previous e-mail.

Opening the zipped_files.exe file causes the trojan to execute. It is possible under some mailer configurations that a user might automatically open a malicious file received in the form of an e-mail attachment.

When the trojan program is run, an error message is displayed:
Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help.

Currently, the following are general information on actions taken by the trojan program.

1. Destruction of files:

• The trojan program searches local and networked drives (drive letters C through Z) for specific file types and attempts to ERASE the contents of the files, leaving a zero byte file. The targets may include Microsoft Office files, such as .doc, .xls, and .ppt, and various source code files, such as .c, .cpp, .h, and .asm.
• The trojan may also be able to delete files that are writable to it via SMB/CIFS file sharing. The trojan program appears to look through the network neighborhood and delete any files that are shared and writable, even if those shares are not mapped to networked drives on the infected computer.
• The program appears to continually delete the contents of targeted files on any mapped networked drives. The trojan does not appear to delete files with the "hidden" or "system" attribute, regardless of their extension.

2. System modifications:

• The zipped_files.exe program creates a copy of itself in a file called explore.exe in the following location(s):
  On Windows 98 - C:\WINDOWS\SYSTEM\Explore.exe
  On Windows NT - C:\WINNT\System32\Explore.exe
  This explore.exe file is an identical copy of the zipped_files.exe Trojan horse, and the file size is 210432 bytes. MD5 (Explore.exe) = 0e10993050e5ed199e90f7372259e44b
• On Windows 98 systems, the zipped_files.exe program creates an entry in the WIN.INI file: run=C:\WINDOWS\SYSTEM\Explore.exe
  On Windows NT systems, an entry is made in the system registry: [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows] run = "C:\WINNT\System32\Explore.exe"

3. Propagation via file sharing:
Once explore.exe is running, it takes the following steps to propagate to other systems via file sharing:

• Each time the program is executed, the trojan horse will search the network for all shares that contain a WIN.INI file with a valid "[windows]" section in the file.
• For each such share that it finds, the trojan will attempt to + copy itself to a file named _setup.exe on that share + modify the WIN.INI file on that share by adding the entry "run=_setup.exe". The account running the program on the original infected machine needs to have permission to write to the second victim's shared directory. (That is, no vulnerabilities are being exploited in order for the program to spread in this manner.) The _setup.exe file is identical to the zipped_files.exe and explore.exe files on the original infected machine.
• The original infected system will continue to scan shares that have been mapped to a local drive letter containing a valid WIN.INI file. For each such share that is found, the trojan will "re-infect" the victim system as described above.

On Windows 98 systems that have a "run=_setup.exe" entry in the WIN.INI file (as described previously), the C:\WINDOWS\_setup.exe program is executed automatically whenever a user logs in.
On Windows NT systems, a "run=_setup.exe" entry in the WIN.INI file does not appear to cause the program to be executed automatically.

When run as _setup.exe, the trojan program will attempt to

• make another copy of itself in C:\WINDOWS\SYSTEM\Explore.exe
• modify the WIN.INI file again by replacing the "run=_setup.exe" entry with "run=C:\WINDOWS\SYSTEM\Explore.exe"

Note that when the trojan program is run as _setup.exe, it configures the system to later run as explore.exe. But when run as explore.exe, it attempts to infect shares with valid WIN.INI files by configuring those files to run _setup.exe. Since this infection process includes local shares, affected systems may exhibit a "ping pong" behavior in which the infected host alternates between the two states.

4. Propagation via e-mail:
The trojan program propagates by replying to any new e-mail that is received by the infected computer. The reply messages are similar to the original e-mail described above, each containing another copy of the zipped_files.exe attachment.

III. Impact

• Users who execute the zipped_files.exe Trojan horse will infect the host system, potentially causing targeted files to be destroyed.
• Users who execute the Trojan horse may also infect other networked systems that have writable shares.
• Because of the large amount of network traffic generated by infected machines, network performance may suffer.
• Indirectly, this Trojan horse could cause a denial of service on mail servers. Several large sites have reported performance problems with their mail servers as a result of the propagation of this Trojan horse.

IV. Solution

Use virus scanners or Click Here

While many anti-virus products are able to detect and remove the executables locally, because of the continuous re-infection process, simply removing all copies of the trojan program from an infected system may leave your system open to re-infection at a later time, perhaps immediately. To prevent re-infection, you must not serve any shares containing a WIN.INI file to any potentially infected machines. If you share files with everyone in your domain, then you must disable shares with WIN.INI files until every machine on your network has been disinfected.

In order to detect and clean current viruses and trojan horses, you must keep your scanning tools up to date with the latest definition files. Please see the following anti-virus vendor resources and download links for more information about the characteristics and removal techniques for the malicious file known as ExploreZip.

Aladdin Knowledge Systems, Inc.
http://www.esafe.com/vcenter/explore.html

Central Command
http://www.avp.com/upgrade/upgrade.html

Command Software Systems, Inc http://www.commandcom.com/html/virus/explorezip.html

Computer Associates
http://support.cai.com/Download/virussig.html

Data Fellows
http://www.datafellows.com/news/pr/eng/19990610.htm

McAfee, Inc. (a Network Associates company ) http://www.mcafee.com/viruses/explorezip/protecting_yourself.asp
Click here to test McAfee.com's FREE VirusScan Online now to see if you're infected

Network Associates Incorporated http://www.avertlabs.com/public/datafiles/valerts/vinfo/va10185 .asp

Sophos, Incorporated
http://www.sophos.com/downloads/ide/index.html#explorez

Download from Symantec
http://www.sarc.com/avcenter/download.html

Trend Micro Incorporated
http://www.antivirus.com/download/pattern.htm

Additional suggestions

• Blocking Netbios traffic at your network border may help prevent propagation via shares from outside your network perimeter.
• Disable file serving on workstations. You will not be able to share your files with other computers, but you will be able to browse and get files from servers. This will prevent your workstation from being infected via file sharing propagation.
• Maintain a regular, off-line, backup cycle.

V. General protection from e-mail Trojan horses and viruses

Some previous examples of malicious files known to have propagated through electronic mail include

• False upgrade to Internet Explorer
• Melissa macro virus
• Happy99.exe Trojan Horse
• CIH/Chernobyl virus

  In each of the above cases, the effects of the malicious file are activated only when the file in question is executed. Social engineering is typically employed to trick a recipient into executing the malicious file.

  Some of the social engineering techniques used include:

• Making false claims that a file attachment contains a software patch or update
• Implying or using entertaining content to entice a user into executing a malicious file
• Using e-mail delivery techniques which cause the message to appear to have come from a familiar or trusted source
• Packaging malicious files in deceptively familiar ways (e.g., use of familiar but deceptive program icons or file names)

|Systems Affected | Description | Impact | Solution |
| General protection from e-mail Trojan horses and viruses |

The best advice with regard to malicious files( trojan horse etc.,) is to avoid executing them in the first place.

Other Suggested Downloads:

• Conceal PC Firewall and Private Desktop from Signal9 Solutions.
• Lockdown 2000.

June 08, 1999: Initial release,
June 10,1999, Second Update.
June 13,1999, Third Update, Rescue Info Added.