W32/ExploreZi-N

Category: Viruses and Spyware Protection available since:08 Jan 2003 00:00:00 (GMT)
Type: Win32 worm Last Updated:08 Jan 2003 00:00:00 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Aliases

  • W32/ExploreZip.worm@M

Affected Operating Systems

Windows

Recovery Instructions:

Please follow the instructions for removing worms.

Windows NT/2000/XP

First, you must shut down the EXPLORE.EXE process:

  • Press the Ctrl, Alt and Del keys at the same time.

  • Click Task Manager, then select the Processes tab.

  • Select an instance of EXPLORE.EXE and click End Process.

  • Repeat this for all instances of EXPLORE.EXE.

Then run a scan to remove the worm file.

You will also need to edit the following registry key for each user who ran the worm. The removal of this key is optional in Windows 95/98/Me.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export Range' panel, click 'All', then save your registry as Backup.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the key:

HKU\[code number]\Software\Microsoft\WindowsNT\
CurrentVersion\Windows\run

This will refer to "\WINNT\SYSTEM32\EXPLORE.EXE". Delete this entry if it exists.

Windows 95/98/Me

At the taskbar, right-click Start and select Explore. Search for Win.ini in the Windows folder and open it in Notepad. Search for the line "run = c:\windows\system\explore.exe". Delete this line.

Then run a scan to remove the worm file.

Reboot your computer.

Other operating systems

For all other operating systems please use the instructions for removing worms.


Check your network

W32/ExploreZi-N will install a file called _SETUP.EXE and make a change to WIN.INI on any Windows 95/98/Me computer it has access to on the network. _SETUP.EXE will be run next time that Windows 95/98/Me computer is started.

This may also be done to installations of Windows NT/2000/XP, but the file will not be run when the computer is restarted. _SETUP.EXE would need to be run manually on the remote computer to apply its registry changes and become active.

If remote Windows installations are affected in this way you should delete the _SETUP.EXE and change WIN.INI and the registry as described above.

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy