Selamat siang,
Mudah-mudahan penjelasan ini cukup membantu dan membuat kita mengerti.
Mohon maaf kalau ada yang tidak berkenan kalau artikelnya terlalu panjang
dan dirasakan OOT.
Salam,
Markus D.
(Emb Worm.ExploreZip as reported by Symantec (Norton AntiVirus)
edde
d
imag
e
move
d to
file
:
pic1
1620
.pcx
)
Created By: Mohamed Ibrahim on 06/11/99 at 11:28 AM
Category: Virus Information
(Embedded image moved to file: pic17213.pcx)
Worm.ExploreZip
|-----------------+-------------------------------------|
|Virus Name: |Worm.ExploreZip |
|-----------------+-------------------------------------|
|Aliases: |W32.ExploreZip Worm |
|-----------------+-------------------------------------|
|Infection Length:|210,432 bytes |
|-----------------+-------------------------------------|
|Area of |Windows System directory, Email |
|Infection: |Attachments |
|-----------------+-------------------------------------|
|Likelihood: |Common |
|-----------------+-------------------------------------|
|Detected as of: |June 6, 1999 |
|-----------------+-------------------------------------|
|Characteristics: |Worm, Trojan Horse |
|-----------------+-------------------------------------|
Overview:
Worm.ExploreZip contains a very malicious payload. Worm.ExploreZip utilizes
Microsoft Outlook, Outlook Express, and Microsoft Exchange to mail itself
out by replying to unread messages in your Inbox. The payload of the worm
will destroy any file with the extension .h, .c, .cpp, .asm, .doc, .ppt, or
.xls on your hard drive(s), as well as any mapped drives, each time it is
executed. The worm will also search the mapped drives for Windows
installations and copy itself to the Windows directory, and then modify the
WIN.INI file. This will infect systems without e-mail clients. This
continues to occur until the worm is removed.
You may receive this worm as a file attachment named "zipped_files.exe".
When run, this executable will copy itself to your Windows System directory
with the filename "Explore.exe", or your Windows directory with the
filename "_setup.exe". The worm modifies your WIN.INI or registry such that
the "Explore.exe" file is executed each time you start Windows.
Worm.ExploreZip was first discovered in Israel and submitted to the
Symantec AntiVirus Research Center on June 6, 1999.
Technical Description:
Worm.ExploreZip utilizes MAPI commands and Microsoft Outlook/Outlook
Express/Microsoft Exchange on Windows 9x and NT systems to propagate
itself.
The worm e-mails itself out as an attachment with the filename "
zipped_files.exe" in reply to unread messages it finds in your Inbox. Thus,
the e-mail message may appear to come from a known e-mail correspondent in
response to a previously sent e-mail. The e-mail contains the following
text:
-----------------------------------|
|Hi Receipient Name! |
| |
|I received your email and I shall |
|send you a reply ASAP. |
| |
|Till then, take a look at the |
|attached zipped docs. |
| |
|bye or sincerely Receipient Name|
| |
-----------------------------------|
Once the attachment is executed, it may display the following window:
(Embedded image moved to file: pic30873.pcx)
The worm also copies itself to the Windows System (System32 on Windows NT)
directory with the filename "Explore.exe" or "_setup.exe", and modifies the
WIN.INI file (Windows 9x) or the registry (on Windows NT). This results in
the program being executed each time Windows is started. You may find this
file under your Windows Temporary directory or your attachments directory,
depending on the e-mail client you are using. E-mail clients will often
temporarily store e-mail attachments in these directories under different
temporary names.
The worm will continue to search through your Inbox as long as it is still
running in memory. Thus, any new messages that are received will be replied
to in the above manner.
Payload:
In addition, when Worm.ExploreZip is executed, it searches drives C through
Z of your computer system and selects a series of files to destroy based on
file extensions (including .h, .c, .cpp, .asm, .doc, .xls, .ppt) by calling
CreateFile(), and making them 0 bytes long. You may notice extended hard
drive activity when this occurs. This can result in non-recoverable data.
This payload routine continues to happen while the worm is active on the
system. Thus, any newly created files matching the extensions list will be
destroyed as well.
Symantec provides data recovery services which can be found at
http://www.symantec.com/techsupp/recovery.
However, due to the nature of the payload data recovery may take several
days and may not be possible in all cases.
Repair Notes:
1. To remove this worm, you should perform the following steps:
Remove the line
run=C:\WINDOWS\SYSTEM\Explore.exe
or
run=C:\WINDOWS\SYSTEM\_setup.exe
from the WIN.INI file for Windows 9x systems.
For Windows NT, remove the registry entry
HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows\Run
which will refer to "Explore.exe" or "_setup.exe"
2. Delete the file "Explore.exe" or "_setup.exe". You may need to reboot
first or kill the process using Task Manager or Process View (if the
file is currently in use).
Norton AntiVirus users can protect themselves from this worm by downloading
the current virus definitions either through LiveUpdate or from the
following webpage:
http://www.symantec.com/avcenter/download.html
Write-up by: Eric Chien
Written: June 6, 1999
Update: June 10, 1999
(Emb W32/ExploreZip.worm as reported by NAI (McAfee Antivirus)
edde
d
imag
e
move
d to
file
:
pic1
8431
.pcx
)
Created By: Mohamed Ibrahim on 06/11/99 at 06:43 PM
Category: Virus Information
(Embedded image moved to file: pic20174.pcx)
W32/ExploreZip.worm
Characteristics:
This is a 32bit Worm that travels by sending email messages to users. It
drops the file explore.exe and modifies either the WIN.INI (Win9x) or
modifies the registry (WinNT).
Information:
This worm attempts to invoke the MAPI aware email applications as in MS
Outlook, MS Outlook Express, MS Exchange and confirmed in Netscape-mail.
This worm replies to messages received with an email message with the
following body:
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
The subject line is not constant as the message is a reply. The worm (named
"zipped_files.exe") is attached, with a file size of 210,432 bytes. The
file has a Winzip icon which is designed to fool unsuspecting users to run
it as a self-extracting file. User who run this attachment will be
presented with a fake error message that says
"Cannot open file: it does not appear to be a valid archive. If this file
is part of a ZIP format backup set, insert the last disk of the backup set
and try again. Please press F1 for help."
The Worm has a payload; immediately after execution it will search all
mapped drives for the following file types, and when it finds them, it will
erase their contents and the file will be zero bytes:
.c, .cpp, .h, .asm, .doc, .xls, or .ppt
Discovery/Added Date: June 9, 1999
DAT Included: 4030
Type: Worm
Risk Assessment: High
Removal of this worm
Win9x-
Restart to MS-DOS mode, edit the WIN.INI and remove the listing
run=c:\windows\system\explore.exe
Then delete the file "c:\windows\system\explore.exe" and restart Windows.
WinNT-
This worm runs as a process in WinNT Task Manager as "explore". You may
experience high CPU utilization prior to ending this process. Run REGEDIT
(not REGEDT32) and locate the hive
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
and remove the following key
"run"="C:\\WINNT\\System32\\Explore.exe"
Restart Windows NT, then remove the file "c:\winnt\system32\Explore.exe"
Kunjungi:
http://www.balita-anda.indoglobal.com
--------------------------------------------------------------------------
"Untuk mereka yang mendambakan anak balitanya tumbuh sehat & cerdas"
Berlangganan, e-mail ke: [EMAIL PROTECTED]
Berhenti berlangganan, e-mail ke: [EMAIL PROTECTED]
http://pencarian-informasi.or.id/ - Solusi Pencarian Informasi di Internet
