Need a book? Engineering books recommendations...

Return to index: [Subject] [Thread] [Date] [Author]


[Subject Prev][Subject Next][Thread Prev][Thread Next]
I received this from our internet service provider and thought some of you
wouldn't mind getting this even though it is not structural engineering
related.  I will never understand why anyone would want to spend their time
making viruses - maybe it is the virus protection software manufacturers
that do it.
-----Original Message-----
From: Enter.Net Administrator <sysadm(--nospam--at)>
Date: Wednesday, December 01, 1999 10:06 AM

>    [ The following text is in the "iso-8859-1" character set. ]
>    [ Your display is set for the "US-ASCII" character set.  ]
>    [ Some characters may be displayed incorrectly. ]
>The following information is about a new virus that just came out
>called "Mini-Zip."  Please read the following information about the
>virus. There is also a link to download and remove the virus from
>your system if you are infected.
>If you get an e-mail with the following information in the body:
>"I received your email and I shall send you a reply ASAP.
>Till then, take a look at the attached zipped docs. "
>The virus is a 32bit worm that travels by sending email messages to
>users.  It drops the file explore.exe and modifies either the WIN.INI
>(Win9x) or modifies the registry (WinNT).
>The worm is attached with the filename "zipped_files.exe" as the
>with a file size of 120,495 bytes. The file has a Winzip icon which is
>designed to fool unsuspecting users to run it as a self-extracting file. If
>the attachment is run, the user will see a fake error message, as follows:
>"Cannot open file: it does not appear to be a valid archive. If this file
>part of a ZIP format backup set, insert the last disk of the backup set and
>try again. Please press F1 for help."
>Systems with full access shares on a network could experience the worm
>creating a copy of itself in two folder locations, and two file names. A
>file named "EXPLORE.EXE" will be copied to Windows\System folder and a file
>"_SETUP.EXE" is copied to the Windows folder. On these systems, if the OS
>Windows 9x, the WIN.INI is modified with:
>run=c:\windows\explore.exe  (or)  _setup.exe
>The value will switch between _setup.exe and explore.exe per reboot. On the
>startup of Windows, it will load this file thereby infecting the system.
>This worm will only try to such systems once, whereas systems which are
>mapped drives are constantly attempted to re-infect.
>On Windows NT systems, the registry is modified with the following key
>HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
>run = explore.exe  (or)  _setup.exe
>The value will switch between _setup.exe and explore.exe per reboot.
>This worm does not self-check and prevent itself from loading more than
>so it could have more than one task running. On Windows 9x and Windows NT,
>is listed as a task by the file name running, such as "Explore" or "_Setup"
>or "Zipped_Files".
>Windows 95/98
>Run the System Configuration Editor
>Select the Start menu from your desktop and Run SYSEDIT.EXE
>Select the C:\WINDOWS\WIN.INI window.
>In the line run =, remove listings that match either of these
>Select File > Save, then Exit.
>Select the Start menu and Shutdown -
>Choose Restart the computer in MS-DOS mode and click YES (This action
>EXPLORE.EXE from system memory.)
>Once your PC is in DOS, type EXIT to return to Windows. (This action
>Windows without EXPLORE.EXE in memory.)
>In Windows, remove the file, EXPLORE.EXE, from your system
>Click Start > Find > Files or Folders
>In the Find: All Files dialog box, type EXPLORE.EXE in the Name field
>Click Find Now
>Repeat step 10 through 13 for both _SETUP.EXE and ZIPPED_FILES.EXE
>In Windows NT, this worm will run as a process by one of the following
>names - "explore", "zipped_f;", or "_setup;" in WinNT Task Manager. You can
>experience high CPU utilization when the process is running. End process
>names which match, noting that "explorer;" is the default Windows shell and
>is a valid task!
>Run the WinNT Registry Editor - Click Start > Run > Open REGEDIT (not
>Locate the hive
>Highlight the following key "run=C:\WINNT\System32\Explore.exe" and remove
>by pressing the Delete button.
>3. Edit WIN.INI and remove either of these lines if they exist
>Restart Windows NT - Click Start > Shutdown. Select Restart and click OK.
>(Your system will now reboot.)
>Remove the file, EXPLORE.EXE, from your system
>Click Start > Find > Files or Folders
>In the Find: All Files dialog box, type EXPLORE.EXE in the (Named) field
>Click Find Now - delete EXPLORE.EXE
>Repeat Step 6 through 9 for _SETUP.EXE and ZIPPED_FILES.EXE.
>You can also get a fix from the following link:
>Just download Killezip.exe and save it to your disk
>KILLEZIP.EXE is a utility to remove instances of the W32/ExploreZip.worm
>W32/ExploreZip.worm.pak virus. It's function is to terminate the process
>running, delete the associated files, repair the registry and fix the
>WIN.INI entries. A description of this worm is available from the Virus
>Library page at
>Enter.Net, Inc.