Computer upgrades, repairs, troubleshooting and consulting services. Products, virus and malware alerts FAQs and VFaqs.

 

The Computer Guys

Miami to Fort Lauderdale Since 1994 - Thank You!

 

CpuCare.com Home PageBusiness to Business Contact

Virus and Malware Alerts

 

We Build the Best & Repair the Rest! ©

 

Alerts December 1999

FAQ Search Virus Alerts Hardware Faqs

 

 

Computer Repair
PC Maintenance
Disaster Recovery
SpyWare Removal
Company Profile
Disclaimer
Contact Information
Home Users

 

 


Top 10 Alerts 1998 Alerts January 1999 Alerts February 1999 Alerts March 1999 Alerts April 1999 Alerts May 1999 Alerts June 1999 Alerts July 1999 Alerts August 1999 Alerts September 1999 Alerts October 1999 Alerts November 1999 Alerts December 1999

 

 

 

 

Top 10 malware reported to Sophos in December 1999

Position Last
month		 Malware Percentage of reports
1 Re-entry WM97/Marker-A
   21.0%
2 Re-entry W32/ExploreZip
   14.8%
3 Re-entry WM97/Melissa
   10.8%
4 New WM97/Thursday
   6.3%
5= New W32/Pretty
   4.5%
5= Re-entry WM97/Class
   4.5%
7 1 WM97/Ethan
   3.4%
8= 10 Form
   2.8%
8= Re-entry WM/Cap
   2.8%
10 Re-entry XM97/Laroux
   2.3%
Others 26.8%

 

 

This section helps you to understand how it behaves

 

W32/ExploreZip is an email worm which uses Microsoft Outlook to distribute multiple copies of itself. Other MAPI compliant browsers may also propagate the worm. Machines not running Outlook can still be infected with W32/ExploreZip.

 

If you run the worm when Outlook is active, it mails a copy of itself in reply to all unread mail in your inbox in a message containing the text:

Hi <Name Of Recipient> I have received your email and I shall send you a reply ASAP. Till then take a look at the attached zipped docs. bye.

 

A file called ZIPPED_FILES.EXE is attached, and contains the worm.

 

If the recipient double-clicks on the attachment, the worm is triggered on their computer. As a disguise, it displays the message: "Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help."

 

Click to see the dialog box displayed by the virus

 

The worm then copies itself into the system directory under the name EXPLORE.EXE, and modifies the WIN.INI file so that the infected file runs every time Windows is started.

 

As an additional warhead, W32/ExploreZip reduces to zero length files of extension ASM, CPP, DOC, XLS, C, H and PPT in any accessible drive.

W32/ExploreZip searches all accessible network drives for other installations of Windows 95/98. The worm will install a file called _SETUP.EXE and make a change to WIN.INI so that is run next time the remote copy of Windows 95/98 is started.

 

If installations of Windows NT are found during the search of network drives W32/ExploreZip will install the _SETUP.EXE file and make the change to WIN.INI, but the file will not be run when the Windows NT machine is restarted. _SETUP.EXE would need to be run manually on the remote machine to apply its registry changes and become active.

 

If remote Windows installations are affected in this way you should delete the _SETUP.EXE and adjust the WIN.INI and registry accordingly.

 

 

Google
 


 

 

This webpage is optimized for 800 x 600 monitor resolution or above and the latest web browser. 

 

 

 

Copyright © 1998 The Computer Guys

 Back Home Up