CERT® Advisory CA-1999-06 ExploreZip Trojan Horse ProgramOriginal issue date: Thursday June 10, 1999
Last revised: June 14, 1999
Added information about the program's self-propagation via networked shares; also updated anti-virus vendor URLs.
A complete revision history is at the end of this file.
The CERT Coordination Center continues to receive reports and inquiries regarding various forms of malicious executable files that are propagated as file attachments in electronic mail.
During the second week of June 1999, the CERT/CC began receiving reports of sites affected by ExploreZip, a Trojan horse/worm program that affects Windows systems and has propagated in email attachments. The number and variety of reports we have received indicate that this has the potential to be a widespread attack affecting a variety of sites.
Our original analysis indicated that the ExploreZip program is a Trojan horse, since it initially requires a victim to open or run an email attachment in order for the program to install a copy of itself and enable further propagation. Further analysis has shown that, once installed, the program may also behave as a worm, and it may be able to propagate itself, without any human interaction, to other networked machines that have certain writable shares.
The ExploreZip Trojan horse has been propagated between users in the form of email messages containing an attached file named zipped_files.exe. Some email programs may display this attachment with a "WinZip" icon. The body of the email message usually appears to come from a known email correspondent, and typically contains the following text:
Opening the zipped_files.exe file causes the program to execute. It is possible under some mailer configurations that a user might automatically open a malicious file received in the form of an email attachment. When the program is run, an error message is displayed:
Destruction of files
Propagation via file sharingOnce explore.exe is running, it takes the following steps to propagate to other systems via file sharing:
When run as _setup.exe, the program will attempt to
Note that when the program is run as _setup.exe, it configures the system to later run as explore.exe. But when run as explore.exe, it attempts to infect shares with valid WIN.INI files by configuring those files to run _setup.exe. Since this infection process includes local shares, affected systems may exhibit a "ping pong" behavior in which the infected host alternates between the two states.
Propagation via email
The program propagates by replying to any new email that is received by the infected computer. The reply messages are similar to the original email described above, each containing another copy of the zipped_files.exe attachment.
We will continue to update this advisory with more specific information as we are able to confirm details. Please check the CERT/CC web site for the current version containing a complete revision history.
Use virus scannersWhile many anti-virus products are able to detect and remove the executables locally, because of the continuous re-infection process, simply removing all copies of the program from an infected system may leave your system open to re-infection at a later time, perhaps immediately. To prevent re-infection, you must not serve any shares containing a WIN.INI file to any potentially infected machines. If you share files with everyone in your domain, then you must disable shares with WIN.INI files until every machine on your network has been disinfected.
In order to detect and clean current viruses, you must keep your scanning tools up to date with the latest definition files. Please see the following anti-virus vendor resources for more information about the characteristics and removal techniques for the malicious file known as ExploreZip.
Additional sources of virus information are listed at
General protection from email Trojan horses and virusesSome previous examples of malicious files known to have propagated through electronic mail include
This document is available from: http://www.cert.org/advisories/CA-1999-06.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 1999 Carnegie Mellon University.
June 10, 1999: Initial release June 11, 1999: Added information about the appearance of the attached file Added information from Aladdin Knowledge Systems, Inc. June 14, 1999: Added information about the program's self-propagation via networked shares; also updated anti-virus vendor URLs