ExploreZip and Variants---A zipped Virus By Ankit Fadia[email protected]
I have explained many email borne Viruses, Email Borne Word Viruses and Email Borne Exe's too. Lets look at the working of the deadliest Zipped File Virus.
ExploreZip: The Working
ExploreZip is the latest malevolent virus to hit the net which is a mixture of CIH
(i.e the Chernobyl) and the Melissa (remember?).It possess the replicating Power or capabilities of Melissa and the deadliness or the destruction power of the CIH.
ExploreZip uses the exploits in the MAPI( Messaging API) based email such as Microsoft Exchange, MicroSoft Outlook to mail itself out as replies to unread messages.
So what would an email infected by ExploreZip look like?
Now you would normally get this virus from a known person as a reply to an email that you sent this known person earlier.
Now this virus will be sent to you with the file "zipped_files.exe" attached.The subject of this email is decided appropriately.The body of the email message is an exellant example of social engineering and is designed to cajole or fool users to open it.
Hi "Recipient Name"!
I received your email and I shall send you a
reply ASAP. Till then, take a look at the
attached zipped docs.
Now Instead of the above last two lines, this virus may also read:
When you have opened the attched zipped file, then you might get a Winzip error, something like the below:
It looks for any mapped drives or any machines on the network and looks if Windows is installed. If it finds Windows running, then it copies itself to the Windows Directory of this remote machine and modify Win.ini appropriately.
Once the attachment is opened, the Virus copies itself to the c:\windows\system directory (system32 directory in NT)as the file Explore.exe or _setup.exe. It also modifies the Win.ini file or the registry such that this file is executed or this virus launched, every time Windows boots.Once this has been done,then each time it is executed,it proceeds to select random files on all drives with various extensions and starts destroying them by reducing their size to zero bytes. The extensions include: .h, .c, .cpp, .asm, .doc, .ppt, or .xls etc. When this process is occuring, then you may find an increase in Hard Disk activity.When you are viewing the mail containing the Virus, then maybe your client will also create a temporary file of this Virus in the Default Windows Temporary directory or the temporary directory used by the email client.This virus also deletes or infects new files created with the list of extensions. The virus will look for unread messages and spread itself by replying to them each time it is executed.
Now the simplest way to remove this Virus is to download it's Cleaner from either Mcafee or Symantec's site. To find out the exact URL just goto their respective sites and search for it.
But I am going to make things interesting by telling you a method of manually removing this Virus.This is where the things really become interesting.
Now first of all you should kill the process or close the Virus by pressing CTRL+ ALT +DEL and then selecting Explore.exe or _setup.exe from the popup window and then click on OK.
Now in the above step you just closed the Virus in that session of Windows i.e. the Virus is no longer active in the current Windows seesion but will be launched or will become active only when Windows is launched once again.Now to prevent this Virus from being launched everytime Windows boots you need to edit the file win.ini.
Now first of all open win.ini in Notepad or Wordpad.(Now in Word97) and then look for the line.
run=<Windows System Path>\Explore.exe
run=<Windows System Path>\_setup.exe
and delete it.Now this will work in Win 9x systems but in NT you will have to delete the following entry from the registry:
Which refers to either explore.exe or _setup.exe i.e. it will refer to the explorezip virus.
You PC is now disinfected but does have the exe file which when run will infect your system again on it's hard disk.So either you can play with the Virus exe's or simply delete them.So to delete them you can goto the c:\windows\system directory(system32 in NT) and delete the file explore.exe or _setup.exe.
This is a ExploreZip variant and is only 120 KB in Size. Like it's predecessor it too is quite deadly and deletes files from your system. The file attached has the same name and the body in this case says:
I received your email and I shall send you a reply ASAP.Till then take a look at the attached zipped docs."
Once the MiniZip is launched that is the zipped files opened, it look for all mapped drives to the computer and spreads to them.It also looks for unread emal on the victim's computer and replies to all of them with the message described above. It too is copied to the c:\windows\system directory with the filename explore.exe and it modifies the Win.ini file such that this file or virus is run or launched each time Windows boots.
You can delete it too by following the same manual method described above.
Well, that's it for now, see you later and till then Happy Virus Hunting!!!!
Ankit Fadia[email protected]
To receive more tutorials on Hacking, Perl, C++ and Viruses/Trojans join my mailing list:
Send an email to[email protected] to join it.
Visit my Site to view all tutorials written by me at:http://www.crosswinds.net/~hackingtruths