FW: VIRUS NOTICE

georgia miller georgia_miller@gfps.k12.mt.us
1 Dec 1999 09:08:03 +0100 

I think this is the virus I heard about on the radio this morning.


From: Steve Rankin on Tue, Nov 30, 1999 11:57 PM
Subject: [ASP] VIRUS NOTICE

1.  The current active & malicious virus out there is called
Worm.ExploreZip.  Please read the description below and be VERY careful with
any email containing attachments.  If you receive such an email from do not
read it or open it--delete it immediately.

2.  Virus warnings.  Most virus warnings are hoaxes.  


Description

Worm.ExploreZip(pack) is a packed version of Worm.ExploreZip, which contains
a malicious payload.

The worm utilizes MAPI-capable e-mail programs on Windows systems to
propagate itself. The worm e-mails itself out as an attachment with the
filename "zipped_files.exe". The body of the e-mail message may appear to
come from a known e-mail correspondent and contains the following text:

I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.

Once the attachment is executed, it will unpacked itself and execute the
original Worm.ExploreZip routine. It may display an error message informing
the user that the file is not a valid archive.

The worm proceeds to copy itself to the c:\windows\system directory with the
filename "Explore.exe" and then modifies the WIN.INI file so that the
program is executed each time Windows is started. The worm then utilizes
your e-mail client to harvest e-mail addresses in order to propagate itself.
Users may notice that their e-mail client launches when this occurs.

Repair Notes

To remove this worm, one should perform the following steps:

Remove the line run=C:\WINDOWS\SYSTEM\Explore.exe from the WIN.INI file
Delete the file "C:\WINDOWS\SYSTEM\EXPLORE.EXE" One may need to reboot
first, if the file is currently in use.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Subscribe: "subscribe powerh-l" in message body to majordomo@lists.swau.edu
Unsubscribe: "unsubscribe powerh-l" in message to majordomo@lists.swau.edu
This list is closed, thus to post to the list, you must be a subscriber.