W32/ExploreZip

Windows NT/2000/XP

First, you must shut down the EXPLORE.EXE process:

• Press the Ctrl, Alt and Del keys at the same time.


• Click Task Manager, then select the Processes tab.


• Select an instance of EXPLORE.EXE and click End Process.


• Repeat this for all instances of EXPLORE.EXE.

Then run a scan to remove the worm file.

You will also need to edit the following registry key for each user who ran the worm. The removal of this key is optional in Windows 95/98/Me.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export Range' panel, click 'All', then save your registry as Backup.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the key:

HKU\[code number]\Software\Microsoft\WindowsNT\
CurrentVersion\Windows\run

This will refer to "\WINNT\SYSTEM32\EXPLORE.EXE". Delete this entry if it exists.

Windows 95/98/Me

At the taskbar, right-click Start and select Explore. Search for Win.ini in the Windows folder and open it in Notepad. Search for the line "run = c:\windows\system\explore.exe". Delete this line.

Then run a scan to remove the worm file.

Reboot your computer.

Other operating systems

For all other operating systems please use the instructions for removing worms.

Check your network

W32/ExploreZip will install a file called _SETUP.EXE and make a change to WIN.INI on any Windows 95/98/Me computer it has access to on the network. _SETUP.EXE will be run next time that Windows 95/98/Me computer is started.

This may also be done to installations of Windows NT/2000/XP, but the file will not be run when the computer is restarted. _SETUP.EXE would need to be run manually on the remote computer to apply its registry changes and become active.

If remote Windows installations are affected in this way you should delete the _SETUP.EXE and change WIN.INI and the registry as described above.

W32/ExploreZip is an email worm which uses Microsoft Outlook to distribute multiple copies of itself. Other MAPI compliant browsers may also propagate the worm. Machines not running Outlook can still be infected with W32/ExploreZip.

If you run the worm when Outlook is active, it mails a copy of itself in reply to all unread mail in your inbox in a message containing the text:

Hi <Name Of Recipient> I have received your email and I shall send you a reply ASAP. Till then take a look at the attached zipped docs. bye.

A file called ZIPPED_FILES.EXE is attached, and contains the worm.

If the recipient double-clicks on the attachment, the worm is triggered on their computer. As a disguise, it displays the message: "Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help."

The worm then copies itself into the system directory under the name EXPLORE.EXE, and modifies the WIN.INI file so that the infected file runs every time Windows is started.

As an additional warhead, W32/ExploreZip reduces to zero length files of extension ASM, CPP, DOC, XLS, C, H and PPT in any accessible drive.

W32/ExploreZip searches all accessible network drives for other installations of Windows 95/98. The worm will install a file called _SETUP.EXE and make a change to WIN.INI so that is run next time the remote copy of Windows 95/98 is started.

If installations of Windows NT are found during the search of network drives W32/ExploreZip will install the _SETUP.EXE file and make the change to WIN.INI, but the file will not be run when the Windows NT machine is restarted. _SETUP.EXE would need to be run manually on the remote machine to apply its registry changes and become active.

If remote Windows installations are affected in this way you should delete the _SETUP.EXE and adjust the WIN.INI and registry accordingly.