Someone has rereleased a classic virus using a new compression scheme to avoid existing antivirus signatures. ExploreZip (ExploreZip.n@mm), also known as ExploreZip.M and ExploreZip.E, is based on the original ExploreZip, which ranked second to Melissa in terms of corporate damage back in 1999. The new version is compressed to a file size of 91,048 bytes using a modified UPX compressor and like the original, spreads via e-mail. Users may find their their Word or Excel data files, among others, reduced to zero bytes within 30 minutes of infection. Because ExploreZip spreads via e-mail and could seriously damage system files, this worm rates a 6 on the ZDNet Virus Meter.
How it works
ExploreZip arrives via e-mail with subject line "Hi" and the body text as follows:
I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. bye (or sincerely) (sender name)
The attached file is zipped_files.exe, with a WinZip icon, and it's 210,432 bytes in length.
Upon infection, ExploreZip will search for files ending with .c, .cpp, .h, .asm, .doc, .xls, or .ppt and save them with zero bytes. It will repeat this procedure every 30 minutes.
Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe from the attached EXE file. Users who have not upgraded to Outlook 2002 or who have not installed the Security Update for Outlook 2000 should do so. In general, do not open attached files in e-mail without first saving them to hard disk and scanning them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signature files that include the latest version of ExploreZip.
Several antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure,McAfee, Norman, Panda, Sophos, or Trend Micro.