W32/ExploreZip

Category: Viruses and Spyware Protection available since:10 Jun 1999 00:00:00 (GMT)
Type: Win32 worm Last Updated:10 Jun 1999 00:00:00 (GMT)
Prevalence: No Reports

Download Download a free security scan - Find threats your antivirus missed

Affected Operating Systems

Windows

Recovery Instructions:

Please follow the instructions for removing worms.

Windows NT/2000/XP

First, you must shut down the EXPLORE.EXE process:

  • Press the Ctrl, Alt and Del keys at the same time.

  • Click Task Manager, then select the Processes tab.

  • Select an instance of EXPLORE.EXE and click End Process.

  • Repeat this for all instances of EXPLORE.EXE.

Then run a scan to remove the worm file.

You will also need to edit the following registry key for each user who ran the worm. The removal of this key is optional in Windows 95/98/Me.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export Range' panel, click 'All', then save your registry as Backup.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the key:

HKU\[code number]\Software\Microsoft\WindowsNT\
CurrentVersion\Windows\run

This will refer to "\WINNT\SYSTEM32\EXPLORE.EXE". Delete this entry if it exists.

Windows 95/98/Me

At the taskbar, right-click Start and select Explore. Search for Win.ini in the Windows folder and open it in Notepad. Search for the line "run = c:\windows\system\explore.exe". Delete this line.

Then run a scan to remove the worm file.

Reboot your computer.

Other operating systems

For all other operating systems please use the instructions for removing worms.


Check your network

W32/ExploreZip will install a file called _SETUP.EXE and make a change to WIN.INI on any Windows 95/98/Me computer it has access to on the network. _SETUP.EXE will be run next time that Windows 95/98/Me computer is started.

This may also be done to installations of Windows NT/2000/XP, but the file will not be run when the computer is restarted. _SETUP.EXE would need to be run manually on the remote computer to apply its registry changes and become active.

If remote Windows installations are affected in this way you should delete the _SETUP.EXE and change WIN.INI and the registry as described above.

download Try Sophos products for free
Download now

Security Threat Report 2012

Our 2011 recap and emerging trends for 2012
Go to report

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy