Original issue date: Thursday June 10, 1999
Last revised: June 14, 1999
Added information about the program's self-propagation via networked shares; also updated anti-virus vendor URLs.
A complete revision history is at the end of this file.
- Machines running Windows 95, Windows 98, or Windows NT.
- Machines with filesystems and/or shares that are writable by a user of an infected system.
- Any mail handling system could experience performance problems or a denial of service as a result of the propagation of this Trojan horse program.
The CERT Coordination Center continues to receive reports and inquiries regarding various forms of malicious executable files that are propagated as file attachments in electronic mail.
During the second week of June 1999, the CERT/CC began receiving reports of sites affected by ExploreZip, a Trojan horse/worm program that affects Windows systems and has propagated in email attachments. The number and variety of reports we have
received indicate that this has the potential to be a widespread attack affecting a variety of sites.
Our original analysis indicated that the ExploreZip program is a Trojan horse, since it initially requires a victim to open or run an email attachment in order for the program to install a copy of itself and enable further propagation. Further analysis
has shown that, once installed, the program may also behave as a worm, and it may be able to propagate itself, without any human interaction, to other networked machines that have certain writable shares.
The ExploreZip Trojan horse has been propagated between users in the form of email messages containing an attached file named zipped_files.exe. Some email programs may display this attachment with a "WinZip" icon. The body of the email message
usually appears to come from a known email correspondent, and typically contains the following text:
The subject line of the message may not be predictable and may appear to be sent in reply to previous email.
- I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
Opening the zipped_files.exe file causes the program to execute. It is possible under some mailer configurations that a user might automatically open a malicious file received in the form of an email attachment. When the program is run, an error
message is displayed:
- Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help.
Destruction of files
- The zipped_files.exe program creates a copy of itself in a file called explore.exe in the following location(s):
This explore.exe file is an identical copy of the zipped_files.exe Trojan horse, and the file size is 210432 bytes.
- On Windows 98 - C:\WINDOWS\SYSTEM\Explore.exe
On Windows NT - C:\WINNT\System32\Explore.exe
MD5 (Explore.exe) = 0e10993050e5ed199e90f7372259e44b
- On Windows 98 systems, the zipped_files.exe program creates an entry in the WIN.INI file:
On Windows NT systems, an entry is made in the system registry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
run = "C:\WINNT\System32\Explore.exe"
Propagation via file sharing
Once explore.exe is running, it takes the following steps to propagate to other systems via file sharing:
On Windows 98 systems that have a "run=_setup.exe" entry in the WIN.INI file (as described previously), the C:\WINDOWS\_setup.exe program is executed automatically whenever a user logs in. On Windows NT systems, a "run=_setup.exe" entry in
the WIN.INI file does not appear to cause the program to be executed automatically.
When run as _setup.exe, the program will attempt to
- make another copy of itself in C:\WINDOWS\SYSTEM\Explore.exe
- modify the WIN.INI file again by replacing the "run=_setup.exe" entry with "run=C:\WINDOWS\SYSTEM\Explore.exe"
Note that when the program is run as _setup.exe, it configures the system to later run as explore.exe. But when run as explore.exe, it attempts to infect shares with valid WIN.INI files by configuring those files to run _setup.exe. Since this infection
process includes local shares, affected systems may exhibit a "ping pong" behavior in which the infected host alternates between the two states.
Propagation via email
The program propagates by replying to any new email that is received by the infected computer. The reply messages are similar to the original email described above, each containing another copy of the zipped_files.exe attachment.
We will continue to update this advisory with more specific information as we are able to confirm details. Please check the CERT/CC web site for the current version containing a complete revision history.
- Users who execute the zipped_files.exe Trojan horse will infect the host system, potentially causing targeted files to be destroyed.
- Users who execute the Trojan horse may also infect other networked systems that have writable shares.
- Because of the large amount of network traffic generated by infected machines, network performance may suffer.
- Indirectly, this Trojan horse could cause a denial of service on mail servers. Several large sites have reported performance problems with their mail servers as a result of the propagation of this Trojan horse.
Use virus scanners
While many anti-virus products are able to detect and remove the executables locally, because of the continuous re-infection process, simply removing all copies of the program from an infected system may leave your system open to re-infection at a later
time, perhaps immediately. To prevent re-infection, you must not serve any shares containing a WIN.INI file to any potentially infected machines. If you share files with everyone in your domain, then you must disable shares with WIN.INI files until every
machine on your network has been disinfected.
In order to detect and clean current viruses, you must keep your scanning tools up to date with the latest definition files. Please see the following anti-virus vendor resources for more information about the characteristics and removal techniques for
the malicious file known as ExploreZip.
- Aladdin Knowledge Systems, Inc.
Command Software Systems, Inc
McAfee, Inc. (a Network Associates company)
Network Associates Incorporated
Trend Micro Incorporated
Additional sources of virus information are listed at
- Blocking Netbios traffic at your network border may help prevent propagation via shares from outside your network perimeter.
- Disable file serving on workstations. You will not be able to share your files with other computers, but you will be able to browse and get files from servers. This will prevent your workstation from being infected via file sharing propagation.
- Maintain a regular, off-line, backup cycle.
General protection from email Trojan horses and viruses
Some previous examples of malicious files known to have propagated through electronic mail include
In each of the above cases, the effects of the malicious file are activated only when the file in question is executed. Social engineering is typically employed to trick a recipient into executing the malicious file. Some of the social engineering
techniques we have seen used include
The best advice with regard to malicious files is to avoid executing them in the first place. CERT advisory CA-99-02 discusses Trojan horses and offers suggestions to avoid them (please see Section V).
- Making false claims that a file attachment contains a software patch or update
- Implying or using entertaining content to entice a user into executing a malicious file
- Using email delivery techniques which cause the message to appear to have come from a familiar or trusted source
- Packaging malicious files in deceptively familiar ways (e.g., use of familiar but deceptive program icons or file names)
Copyright 1999 Carnegie Mellon University.
June 10, 1999: Initial release
June 11, 1999: Added information about the appearance of the attached file
Added information from Aladdin Knowledge Systems, Inc.
June 14, 1999: Added information about the program's self-propagation via
networked shares; also updated anti-virus vendor URLs