Zippedfiles or Explorezip
trojan.
 Information
about the Zippedfiles or Explorezip virus:
Zippedfiles or explorezip is a Win32 based
dangerous trojan program. This trojan affects Windows 95, Windows 98 and
Windows NT systems. This trojan has the capability to spread on its
own using email and it will delete many document and program source files.
The program appears like a collection of
Zip files and when this program is executed it will display the following
error message.
Cannot open file; it does not
appear to be a valid archive. If this file is part of
a ZIP format backup set, insert the last disk of the backup set and
try again.
Please press F1 for help.
The Zippedfiles trojan copies itself to
the Windows system directory and makes some changes to ensure that the
trojan will be loaded each time the computer is booted up. The trojan changes
the WIN.INI file in Windows 95 and 98 and the system registry under
Windows NT to achieve this.
It adds these lines to the WIN.INI file:
run=_setup.exe
run=C:\Windows\System\Explore.exe
Under Windows NT the Zipped_files or explorezip
trojan will add the same programs to the system registry key,
HKEY_CURRENT_USER\Software\Microsoft\
WindowsNT\CurrentVersion\Windows\Run
When the trojan program is active it will
send itself as an attachment in the name of Zipped_files.exe to all the
email addresses the user receives the email from. The size of the attachment
is 210kb. The email sent by the trojan will contain the message;
Hi,
(UserName)!
I
received your email and I shall send you a reply ASAP.
Till
then, take a look at the attached zip docs.
Bye.
The most destructive part of the Zipped_files
or explorezip trojan is that it will destroy all the files with the extension
of DOC, XLS, PPT, C, ASM and CPP. It will reduce the size of these file
to 0 bytes and it will be very difficult to recover the damaged files.
This trojan will destroy the files in the local hard disk and all the networked
drives.
Zipped_files first appeared in June 1999
and it is reported to have affected a lot of users globally.
Other
names of Zippedfiles or Explorezip virus:
This virus is also known as worm.explore.zip,win32.explorezip
and Zipped_files trojan
Removing
Zippedfiles or Explorezip trojan virus from your computer:
You can remove this trojan from your
computer by using Protector Plus antivirus software. Protector Plus antivirus
software will detect this trojan and completely remove it from your computer.
It will also remove the additional lines inserted by the trojan in to the
WIN.INI file.
You can download the Evaluation
Copies of
Protector Plus antivirus software FREE of cost for these operating
systems:
  
You can also remove this trojan manually
from your computer. Follow these instructions carefully to find out whether
you are infected by this trojan and then to remove it from your computer.
Removing the Zipped_files trojan manually requires you to have some knowledge
of using various Windows Programs as detailed below. If you are not familiar
with the usage of the below mentioned Windows Programs, use Protector Plus
antivirus software to detect and remove this trojan.
Windows95
an Windows98:
Detecting
Zipped_files or Explorezip trojan infection:
1. Close all programs.
2. Press <Ctrl>, <Alt> and <Del> keys simultaneously.
This will bring the "Close Program" Window.
3. If the Window lists any one or more of the following entries, you are
infected by this trojan.
Zipped_files
Explore
_setup
Note: There will be an entry for Explorer.
This is a Windows program and not the trojan.
Removing
Zippedfiles or Explorezip trojan:
1. Select the program entry related
to the trojan (Zipped_files, Explore or _setup) from the "Close
Program" Window (as mentioned in point 3 above) and click
on the "End Task" button. Do the same for all
the entries that are related to the trojan. This process will end the trojan
program files' execution so that it will not be active in memory.
2. Delete these files.
C:\WINDOWS\_Setup.exe
C:\WINDOWS\SYSTEM\Explore.exe
You may have to change C:\WINDOWS with
something else if it is named otherwise in your computer.
3. Open WIN.INI file (with NOTEPAD) under the C:\WINDOWS directory
and remove the following lines.
run=_setup.exe
run=C:\Windows\System\Explore.exe
4. Save the WIN.INI file and restart
you computer.
WindowsNT
Detecting
Zipped_files or Explorezip trojan infection:
1. Close all programs.
2. Right Click on the Task Bar and select "Task Manager" from
the menu. Click on the "Processes" tab. This will
bring the "Processes" Window.
3. If the window lists any one or more of the following entries, you are
infected by this trojan.
Zipped_files
Explore
_setup
Note: There will be an entry for Explorer.
This is a Windows program and not the trojan.
Removing
Zippedfiles or Explorezip trojan:
1. Select the program entry related
to the trojan (Zipped_files, Explore or _setup) from the "Processes" Window
(as mentioned in point 3 above) and click on the "End Process" button.
Do the same for all the entries that are related to the trojan. This process
will end the trojan program files' execution so that it will not be active
in memory.
2. Delete these files.
C:\WINNT\_Setup.exe
C:\WINNT\SYSTEM32\Explore.exe
You may have to change C:\WINNT with something
else if it is named otherwise in your computer.
3. Delete the system registry entry added by the trojan.
Note: Doing this step requires some
knowledge of using the REGEDIT program. Continue this ONLY if
you are comfortable with the REGEDIT program. Your computer will be
free of the trojan even if you do not complete this step.
a. Click on Start button and select Run.
b. Type REGEDIT and click OK.
c. Double click on the following entries at the left side window. When
you double click on the item the next item will appear below that.
HKEY_CURRENT_USER
Software
Microsoft
WindowsNT
CurrentVersion
Windows
Run
Now on the right side window select the
entry
C:\WinNT\System32\Explore.exe
and then click on the "Edit"
menu and select "Delete".
4. Close the REGEDIT program and restart
your computer.
|
