list admin warning: nasty virus propagating fast

Chris Evans (
Sun, 13 Jun 1999 17:56:39 +0100

Someone on another list (the Personal Construct Psychology list for anyone interested in
constructivism!) got infected with the explore_zip worm/virus. That
wasn't through that list and the people involved and the excellent
mailbase system come out of this with huge credit (thanks all!)

If the information I've collated from various very reliable sources is
correct then I've blocked this from ever being propagated on this list
by blocking any message above 50k in size. This may block a very
large attachment sent to the list but you shouldn't be sending large
attachments to the whole list I guess so we're none of us losing
through this. It sounds quite likely that anyone using Email a lot is
in danger from this beast so don't open any attachments in a
message saying:

Hi ***
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.


Where *** is some good approximation or accurate rendering of
your name. The message will either have a friendly subject line
addressing you or it will look like a reply to a message you have
sent to someone (the poor infected sod whose machine is now
trying to get you!)

More information below for those who want all the low down.
Excellent anti-viral sites at the end of the post you should know of
for future reference and to tell virus hoaxes (which cause almost as
much wasted time as virii and worms themselves).

Best wishes all,


Detailed information:

This is a nasty win32 program capable of infecting Windows 95, 98
and NT and windows 3.1/3.11 with the win32 extensions (you've
almost certainly got those if you're running win3.1/3.11 still). If
you're running Microsoft outlook/exchange/express to handle Email
(not necessarily as your Email client) then it will infect that, use
your address book and send itself to other people in your address
book as if it's coming from you. There seems to be nothing in the
headers and subject line that identifies these messages (the worm
component of the beast) so I can't filter for it.

If you get a message containing a message that says:

Hi ***
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.


Then you've almost certainly received this beast. It will have an
attachment called zipped_files.exe. If you use M$ Email it will
conceal the fact that it's an exe file by showing a zip archive icon.
IF you execute that zip it will infect your system and start sending
itself to other people.

That's nasty enough but the really nasty thing is the virus bit of the
beast. It start randomly deleting files based on file extensions
(including .h, .c, .cpp, .asm, .doc, .xls, .ppt). It does this by
calling CreateFile(), and making them 0 bytes long which is a
pretty final way of killing them (i.e. they won't go to the trash can
and be recoverable as they would be if a DelFile() (or whatever it is
in Windoze)).

It looks as if it's been written by someone with a grudge against M$
and I'd acknowledge feeling of that but I don't like violence and I
don't want anyone on my lists to lose work and have to rebuild
things through this. I'd specifically filter any such messages sent
to the list if I could do rather than using the size restriction as a
choke but at present I can't. If I get a way to do so then I'll
implement it ASAP and may remove the size restriction. I'll let you
know if I do.


If you get a message like this (including this one!) by all means
take precautions on your own appraisal of it but _PLEASE_ never
pass the warning on to the list without checking the information out
at least one reputable anti-viral/anti-hoax site such as:




Dr. Solomon:

or (probably) any of the resources at:
is a good resource for chasing other Internet myths, chain letters

PSYCTC: Psychotherapy, Psychology, Psychiatry, Counselling
and Therapeutic Communities; practice, research,
teaching and consultancy.
Chris Evans & Jo-anne Carlyle Email: