|Place of Origin||Israel|
|Infection Length||210,432 bytes|
|Reported Costs||$1.02 billion|
ExploreZip, also known as Zipped Files is a mass-mailer worm that appeared in late spring of 1999, only months after CIH and Melissa. It has a malicious payload that destroys certain files. The worm supposedly hit less computers than Melissa, while causing more damage.
ExploreZip arrives in an email with the following text:
Hi <Recipient Name>! I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. bye, (or) sincerely, <sender name>
The attachment is named Zipped_files.exe. When executed, ExploreZip displays a message saying that the zip archive is invalid. The message is always in English, but the OK button is in the language that the particular computer being infected is set to. The worm copies itself to the Windows System Folder under the name Explore.exe or _setup.exe. The worm may also be found in a temporary folder, or email attachments folder, depending on the mail client the computer uses. It will modify the Win.ini file in Windows 95/98 and add its file name to the Current User registry key in Windows NT, 2000 and XP, which will cause the worm to run when the computer starts up (not …\CurrentVersion\Run, like most worms, but rather …\CurrentVersion\Windows).
ExploreZip searches for files on drives C to Z of the infected computer and any drives accessable through networks for files with .h, .c, .cpp, .asm (these first four are types of source code), .doc, .ppt, or .xls (Microsoft Office documents, presentations and spreadsheets). The worm then calls CreateFile(), which makes those files 0 bytes long. The files are unrecoverable. New files created after the worm infection will be deleted until the worm is removed. The user may notice the increased hard drive activity.
The worm replies to all unread messages in the inbox and marks the message as read so it will not send itself to that email address from the present computer again. The worm will send its reply to every new email the computer receives until it is removed. It will also copy itself to the Windows or WINNT folders of computers on the presently infected computer's network.
The worm caused more damage than CIH and Melissa, in spite of infecting fewer computers. This is probably because Melissa lacked any truly malicious payload, while CIH was a virus lacking an ability to spread over email or networks. It was also a bit slower in spreading than Melissa.
General Electric and several other companies shut down their email systems for fear of getting the worm. The BBC was hit by a variant of the worm almost four years after the original was released, causing the organization to restrict the size of emails that could be sent through its network. In addition to Israel, the US and UK, it was also seen in Germany, Norway and the Czech Republic.
Explorezip is the first worm to be compressed with a packer such as UPX. Even with the compression, it is still a very large worm weighing in at around 210,432 bytes. Other worms created shortly afterward, such as Navidad were much smaller. The worm changes its body with each new replication, yet remains detectable.
White Paper. Cisco Systems "Protecting IP Communications with Integrated Security Solutions"
Eric Chien. Symantec.com "Worm.ExploreZip"
Tim Richardson. The Register, Have you got worms? 1999.06.11
Peter Szor. The Art of Computer Virus Defense and Research, pp. 235, 541. Symantec Press, Addison Wesley, Pearson Press: Upper Saddle River, New Jersey, USA. 2005 ISBN 0-321-30454-3
Amy K. Larsen. Information Week, "Worm Virus Wreaks Havoc". 1999.06.10
Tim Clark. CNet News, "Virus Hit Fewer Machines Did More Damage". 1999.06.15
Iain Thomson. Vnunet.com, Auntie's bloomer lets in nasty virus. 2003.01.10
BBC, ExploreZip virus spreads. 1999.07.01
F-Prot Antivirus Virus Information, W32/ExploreZip.E