Original issue date: Thursday June 10, 1999<BR>
Last revised: June 14, 1999<BR>
Added information about the program's self-propagation via networked
shares; also updated anti-virus vendor URLs.<BR>
Source: CERT/CC<BR>

<P>A complete revision history is at the end of this file.

<H3>Systems Affected</H3>

<UL>

<LI>Machines running Windows 95, Windows 98, or Windows NT.

<LI>Machines with filesystems and/or shares that are writable by
a user of an infected system.

<LI>Any mail handling system could experience performance problems or a
denial of service as a result of the propagation of this Trojan horse
program.

</UL>

<H3>Overview</H3>

<P>The CERT Coordination Center continues to receive reports and
inquiries regarding various forms of malicious executable files that
are propagated as file attachments in electronic mail.

<P>During the second week of June 1999, the CERT/CC began receiving
reports of sites affected by ExploreZip, a Trojan horse/worm program
that affects Windows systems and has propagated in email
attachments. The number and variety of reports we have received
indicate that this has the potential to be a widespread attack
affecting a variety of sites.

<H2>I. Description</H2>

<P>Our original analysis indicated that the ExploreZip program is a
Trojan horse, since it initially requires a victim to open or run an
email attachment in order for the program to install a copy of itself
and enable further propagation. Further analysis has shown that, once
installed, the program may also behave as a worm, and it may be able
to propagate itself, without any human interaction, to other networked
machines that have certain writable shares.

<P>The ExploreZip Trojan horse has been propagated between users in
the form of email messages containing an attached file named
<I>zipped_files.exe</I>. Some email programs may display this
attachment with a "WinZip" icon. The body of the email message usually
appears to come from a known email correspondent, and typically
contains the following text:

<DL><DD>
    <i>I received your email and I shall send you a reply ASAP.<BR>
    Till then, take a look at the attached zipped docs.</i>
</DL>

The subject line of the message may not be predictable and may appear to be
sent in reply to previous email.<P>

Opening the <I>zipped_files.exe</I> file causes the program to execute. It
is possible under some mailer configurations that a user might
automatically open a malicious file received in the form of an email
attachment.  When the program is run, an error message is displayed: <P>

<DL><DD>
    <i>Cannot open file: it does not appear to be a valid archive. If this file is
    part of a ZIP format backup set, insert the last disk of the backup set 
    and try again. Please press F1 for help.</i>
</DL>

<P>

<H5>Destruction of files</H5>

<UL>

<LI>The program searches local and networked drives (drive letters C
  through Z) for specific file types and attempts to erase the contents of
  the files, leaving a zero byte file. The targets may include Microsoft
  Office files, such as .doc, .xls, and .ppt, and various source code
  files, such as .c, .cpp, .h, and .asm.<P>

<LI>The program may also be able to delete files that are writable to it
  via SMB/CIFS file sharing. The program appears to look through the
  network neighborhood and delete any files that are shared and writable,
  even if those shares are not mapped to networked drives on the infected
  computer.<P>

<LI>The program appears to continually delete the contents of targeted
  files on any mapped networked drives.<P>

  The program does not appear to delete files with the "hidden" or "system"
  attribute, regardless of their extension.<P>

</UL>

<H5>System modifications</H5>

<UL>

<LI>The <I>zipped_files.exe</I> program creates a copy of itself in a file
  called <I>explore.exe</I> in the following location(s):<P>

  <DL><DD>
  On Windows 98 - C:\WINDOWS\SYSTEM\Explore.exe<BR>
  On Windows NT - C:\WINNT\System32\Explore.exe<P>
  </DL>

  This <I>explore.exe</I> file is an identical copy of the
  <I>zipped_files.exe</I> Trojan horse, and the file size is 210432
  bytes.<BR>

  MD5 (Explore.exe) = 0e10993050e5ed199e90f7372259e44b<P>

<LI>On Windows 98 systems, the <I>zipped_files.exe</I> program creates an
entry in the <I>WIN.INI</I> file:<P>

  <DL><DD>run=C:\WINDOWS\SYSTEM\Explore.exe<P>
  </DL>

  On Windows NT systems, an entry is made in the system registry:<P>

  <DL><DD>[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]<BR>
  run = "C:\WINNT\System32\Explore.exe"<P>
  </DL>

</UL>

<H5>Propagation via file sharing</H5>

Once <I>explore.exe</I> is running, it takes the following steps to
propagate to other systems via file sharing:<P>

<UL>
<LI>Each time the program is executed, the program will search the network
for all shares that contain a <I>WIN.INI</I> file with a valid "[windows]"
section in the file.<P>

<LI>For each such share that it finds, the program will attempt to<P>

  <UL>
  <LI>copy itself to a file named <I>_setup.exe</I> on that share<P>

  <LI>modify the <I>WIN.INI</I> file on that share by adding the entry
  "run=_setup.exe"<P>
  </UL>

  The account running the program on the original infected machine needs to
  have permission to write to the second victim's shared directory. (That
  is, no vulnerabilities are being exploited in order for the program to
  spread in this manner.)<P>

  The <I>_setup.exe</I> file is identical to the <I>zipped_files.exe</I>
  and <I>explore.exe</I> files on the original infected machine.<P>

<LI>The original infected system will continue to scan shares that have
  been mapped to a local drive letter containing a valid WIN.INI file.
  For each such share that is found, the program will "re-infect" the
  victim system as described above.<P>

</UL>

On Windows 98 systems that have a "run=_setup.exe" entry in the
<I>WIN.INI</I> file (as described previously), the
<I>C:\WINDOWS\_setup.exe</I> program is executed automatically whenever a
user logs in.  On Windows NT systems, a "run=_setup.exe" entry in the
<I>WIN.INI</I> file does not appear to cause the program to be executed
automatically.<P>

When run as <I>_setup.exe</I>, the program will attempt to<P>

<UL>
  <LI>make another copy of itself in C:\WINDOWS\SYSTEM\Explore.exe<P>

  <LI>modify the <I>WIN.INI</I> file again by replacing the
  "run=_setup.exe" entry with "run=C:\WINDOWS\SYSTEM\Explore.exe"
</UL>
<P>

<P>Note that when the program is run as _setup.exe, it configures the
system to later run as explore.exe.  But when run as explore.exe, it
attempts to infect shares with valid WIN.INI files by configuring
those files to run _setup.exe. Since this infection process includes
local shares, affected systems may exhibit a "ping pong" behavior in
which the infected host alternates between the two states.

<H5>Propagation via email</H5>

<P>The program propagates by replying to any new email that is
received by the infected computer. The reply messages are similar to
the original email described above, each containing another copy of
the <I>zipped_files.exe</I> attachment.

<P>We will continue to update this advisory with more specific
information as we are able to confirm details. Please check the
CERT/CC web site for the current version containing a complete
revision history.

<H2>II. Impact</H2>

<UL>

<LI>Users who execute the <I>zipped_files.exe</I> Trojan horse will infect the
  host system, potentially causing targeted files to be destroyed.<P>

<LI>Users who execute the Trojan horse may also infect other networked
  systems that have writable shares.<P>

<LI>Because of the large amount of network traffic generated by infected
  machines, network performance may suffer.<P>

<LI>Indirectly, this Trojan horse could cause a denial of service on mail
  servers. Several large sites have reported performance problems with
  their mail servers as a result of the propagation of this Trojan horse.<P>

</UL>

<H2>III. Solution</H2>

<H3>Use virus scanners</H3>

  While many anti-virus products are able to detect and remove the
  executables locally, because of the continuous re-infection process,
  simply removing all copies of the program from an infected system may
  leave your system open to re-infection at a later time, perhaps
  immediately. To prevent re-infection, you must not serve any shares
  containing a WIN.INI file to any potentially infected machines. If you
  share files with everyone in your domain, then you must disable shares
  with WIN.INI files until every machine on your network has been
  disinfected.<P>

  In order to detect and clean current viruses, you must keep your scanning
  tools up to date with the latest definition files. Please see the
  following anti-virus vendor resources for more information about the
  characteristics and removal techniques for the malicious file known as
  ExploreZip.<P>

   <DL><DD>
   Aladdin Knowledge Systems, Inc.<br>
   <A HREF="http://www.esafe.com/vcenter/explore.html">
   http://www.esafe.com/vcenter/explore.html</A><P>

   Central Command<BR> 
   <A HREF="http://www.avp.com/zippedfiles/zippedfiles.html">
   http://www.avp.com/zippedfiles/zippedfiles.html</A><P>

   Command Software Systems, Inc<BR>
   <A HREF="http://www.commandcom.com/html/virus/explorezip.html">
   http://www.commandcom.com/html/virus/explorezip.html</A><P>

   Computer Associates<BR> 
   <A HREF="http://www.cai.com/virusinfo/virusalert.htm">
   http://www.cai.com/virusinfo/virusalert.htm</A><P>

   Data Fellows<BR>
   <A HREF="http://www.datafellows.com/news/pr/eng/19990610.htm">
   http://www.datafellows.com/news/pr/eng/19990610.htm</A><P>

   McAfee, Inc. (a Network Associates company)<BR>
   <A HREF="http://www.mcafee.com/viruses/explorezip/default.asp">
   http://www.mcafee.com/viruses/explorezip/default.asp</A><P>

   Network Associates Incorporated<BR> 
   <A HREF="http://www.avertlabs.com/public/datafiles/valerts/vinfo/va10185.asp">
   http://www.avertlabs.com/public/datafiles/valerts/vinfo/va10185.asp</A><P>
 
   Sophos, Incorporated<BR> 
   <A HREF="http://www.sophos.com/downloads/ide/index.html#explorez">
   http://www.sophos.com/downloads/ide/index.html#explorez</A><P>

   Symantec<BR> 
   <A HREF="http://www.symantec.com/avcenter/venc/data/worm.explore.zip.html">
   http://www.symantec.com/avcenter/venc/data/worm.explore.zip.html</A><P>

   Trend Micro Incorporated<BR>
   <A HREF="http://www.antivirus.com/vinfo/alerts.htm">
   http://www.antivirus.com/vinfo/alerts.htm</A><P>

   </DL>

  <P>
  Additional sources of virus information are listed at<BR>

   <DL><DD>
     <A HREF="http://www.cert.org/other_sources/viruses.html">
     http://www.cert.org/other_sources/viruses.html</A>
   </DL>

<H3>Additional suggestions</H3>
<UL>

<LI>Blocking Netbios traffic at your network border may help prevent
propagation via shares from outside your network perimeter.<P>

<LI>Disable file serving on workstations. You will not be able to
share your files with other computers, but you will be able to browse and
get files from servers. This will prevent your workstation from being
infected via file sharing propagation.<P>

<LI>Maintain a regular, off-line, backup cycle.<P>

</UL>

<H3>General protection from email Trojan horses and viruses</H3>

  Some previous examples of malicious files known to have propagated
  through electronic mail include

   <UL>
   <LI>False upgrade to Internet Explorer - discussed in CA-99-02 <BR>
       <A HREF="http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html">
       http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html</A><P>

   <LI>Melissa macro virus - discussed in CA-99-04<BR>
       <A HREF="http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html">
       http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html</A><P>

   <LI>Happy99.exe Trojan Horse - discussed in IN-99-02<BR>
       <A HREF="http://www.cert.org/incident_notes/IN-99-02.html">
       http://www.cert.org/incident_notes/IN-99-02.html</A><P>

   <LI>CIH/Chernobyl virus - discussed in IN-99-03<BR>
       <A HREF="http://www.cert.org/incident_notes/IN-99-03.html">
       http://www.cert.org/incident_notes/IN-99-03.html</A><P>
   </UL>

  In each of the above cases, the effects of the malicious file are
  activated only when the file in question is executed. Social engineering
  is typically employed to trick a recipient into executing the malicious
  file. Some of the social engineering techniques we have seen used include

   <UL>
   <LI>Making false claims that a file attachment contains a software 
     patch or update<P>

   <LI>Implying or using entertaining content to entice a user into
     executing a malicious file<P>

   <LI>Using email delivery techniques which cause the message to appear
     to have come from a familiar or trusted source<P>

   <LI>Packaging malicious files in deceptively familiar ways (e.g., use
     of familiar but deceptive program icons or file names)<P>
   </UL>

  The best advice with regard to malicious files is to avoid executing them
  in the first place. CERT advisory CA-99-02 discusses Trojan horses and
  offers suggestions to avoid them (please see Section V).<P>

   <DL><DD>
     <A HREF="http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html">
     http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html</A><P>
   </DL>

<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>

<p>Copyright 1999 Carnegie Mellon University.</p>

<HR>

Revision History
<PRE>
June 10, 1999:  Initial release
June 11, 1999:  Added information about the appearance of the attached file
                Added information from Aladdin Knowledge Systems, Inc.
June 14, 1999:  Added information about the program's self-propagation via
                networked shares; also updated anti-virus vendor URLs<P>
</PRE>