Zipped_Files

Classification

Category :

Malware

Type :

Virus

Aliases :

ExploreZip.pak, ExploreZip.pak.b, ExploreZip.packed, ExploreZip, I-Worm.ZippedFiles.packed.b, ZippedFiles, I-Worm.ZippedFiles, I-Worm.ZippedFiles.packed, MiniZip.b, ExploreZip.packed.b, MiniZip

Summary

The ZippedFiles (aka 'ExploreZip') is a Melissa-like email worm. Unlike Melissa, the Zipped_Files worm has a nasty payload. The way of spreading itself via email is also different. The worm analyzes messages received by Microsoft Outlook and sends automatic replies to their senders.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The replies look like this:

From: user_of_the_PC
Subject: RE: subject_of_the_original_message
To: sender_of_the_original_message

Hi sender_of_the_original_message !
 I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
Sincerely
user_of_the_pc
 Attachment: zipped_files.exe

If you receive a message like this, do not open zipped_files.exe. It looks like a self-extracting WinZip file but it is not. If it is opened, it will show a WinZip error message and then it will send itself to more users via Outlook.

The displayed error message looks like this:

Cannot open file: it does not appear to be a valid archive.
If this file is part of a ZIP format backup set, insert the last
disk of the backup set and try again. Please press F1 for help.

The worm copies itself to two files:

  • \WINDOWS\_SETUP.EXE
  • \WINDOWS\SYSTEM\EXPLORE.EXE

It also modifies WIN.INI so one of these files gets executed every time Windows starts. The worm works under Windows 95, 98 and NT. Under Windows NT the worm also modifies the Registry as WIN.INI file is ignored.

The worm activates when executed, truncating files with several extensions on local hard drive and network drives to zero bytes, making them unusable. The following file types are affected:

  • .DOC - Microsoft Word documents
  • .XLS - Microsoft Excel spreadsheets
  • .PPT - Microsoft PowerPoint presentations
  • .ASM - Assembler source files
  • .CPP - C++ source files
  • .C - C source files
  • .H - C header files

Once the worm infects one machine in a corporate network, the worm will start to look for other Windows workstations in the network. If another user has shared directories from his machine for others, the worm will try to infect this machine over the network.

This means that your machine can get infected with the ZippedFiles worm even if you are very careful with your email, do not open attachments, or you even stop using email completely. You will not notice the infection, but your machine will start to automatically reply to all emails received thereafter. The replies contain an infected attachment and will spread the worm further. In addition, the worm will start to overwrite files on local and network drives.

In order to receive the worm over the company network, your machine must be running Windows 95 or 98 and must have either the system drive or the Windows directory shared for other users with full access rights. The shared drive does not have to be mounted to the infected system in order for the worm to spread, as the worm will browse all available drive shares in the network. By default, Windows does not share drives for use by other users, but many users do this to give fellow workers easy access to their files.

Under Windows 95/98 the worm uses a trick to make its disinfection more difficult. After writing its body to two files, it modifies WIN.INI to run EXPLORE.EXE first. After rebooting, the worm run from EXPLORE.EXE will again modify WIN.INI but this time to run _SETUP.EXE. After reboot WIN.INI will be modified again to run EXPLORE.EXE. And so forth.

Variant: 120495

On the 30th of November there appeared a packed version of Zipped_Files worm. The size of the worm executable reduced almost twice resulted from packing the file with NeoLite file compressor.

The first sample of this worm was received at F-Secure on Thursday, 10th of June 11:00 GMT. The worm has been confirmed from several countries already and it seems to be spreading further fast.

Variant: Zipped_Files.pak.b (size 137321)

Another variant of ExploreZip.packed worm appeared in the beginning of December 1999. This worm variant spreads itself with an Italian message. The worm's body is compressed with a different file compressor - APLib. The worm drops DRVSSRV.EXE or _SAVER.SCR file and spreads itself via Outlook as FILE_ZIPPATI.EXE unlike its earlier versions.

Variant:Zipped_Files.pak.b (size 137321)

Description:

Another variant of ExploreZip.packed worm appeared in the beginning of December 1999. This worm variant spreads itself with an Italian message. The worm's body is compressed with a different file compressor - APLib. The worm drops DRVSSRV.EXE or _SAVER.SCR file and spreads itself via Outlook as FILE_ZIPPATI.EXE unlike its earlier versions.

Variant:Zipped_Files.pak (size 120495)

Description:

On the 30th of November there appeared a packed version of Zipped_Files worm. The size of the worm executable reduced almost twice resulted from packing the file with NeoLite file compressor. The first sample of this worm was received at F-Secure on Thursday, 10th of June 11:00 GMT. The worm has been confirmed from several countries already and it seems to be spreading further fast.