Listen up ya'll..... this is a factual virus report. Don't forward this,
but copy and paste if you want to and then mail to people. Forwarding
wastes bandwidth.....and all those > >> >>>>> etc are hard to
wade
through.
******
This is a 32bit Worm that travels by sending email messages to users.
It drops the file explore.exe and modifies either the WIN.INI (Win9x) or
modifies the registry (WinNT).
This worm attempts to invoke the MAPI aware email applications as in MS
Outlook, MS Outlook Express, MS Exchange and confirmed in
Netscape-mail. This worm replies to messages received with an email
message with the following body:
"I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs."
The subject line is not constant as the message is a reply. The worm
(named "zipped_files.exe" is attached, with a file size of 210,432
bytes. The file has a Winzip icon which is designed to fool unsuspecting
users to run it as a self-extracting file.
User who run this attachment will be presented with a fake error message
that says:
"Cannot open file: it does not appear to be a valid archive. If this
file is part of a ZIP format backup set, insert the last disk of the
backup set and try again. Please press F1 for help."
The Worm has a payload; immediately after execution it will search all
mapped drives for the following file types, and when it finds them, it
will erase their contents and the file will be zero bytes:
.c, .cpp, .h, .asm, .doc, .xls, or .ppt
So everyone, just DON'T run anything that you get until you have scanned
the file with a virus checker, or KNOW the person that sends it is clean
and doesn't send viris or worms.
If in doubt, DELETE the file.
Read about this at:
http://www.avertlabs.com/public/datafiles/valerts/
Lori