Here's a followup to my earlier post about this Trojan:

I've just installed a Trojan cleaner called 'Trojan Remover 6.1.5'.  After rebooting, the program informed me that my registry was calling for Explore.exe to be run.  Evidently the Symantec fix didn't clean the registry as it was supposed to.

So, if anyone wants to to check their own registry, go to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and see if 'C:\Windows\System32\Explore.exe' is included in the list.

If it's there, delete it.

Note that this location applies to Windows XP - but it may be different in other OS's. 

Ian Porter
Computer Guys Inc.
Arrowtown
New Zealand
[log in to unmask]

The NOSPIN Group
http://freepctech.com

  ----- Original Message ----- 
  From: Ian 
  To: [log in to unmask] 
  Sent: Monday, January 19, 2004 10:31 AM
  Subject: [PCSOFT] Worm Explore.exe


  Some of you might like to see if your computer is playing host to a worm-created file named Explore.exe. (That's EXPLORE, not EXPLORER)

  This is a bug which, apart from sending itself out in the form of replies to unread messages, can destroy certain files, including .docs, .xls and .ppt.   Check out the blurb here:

  http://www.symantec.com/avcenter/venc/data/worm.explore.zip.html

  ......and there's a fix here:

  http://securityresponse.symantec.com/avcenter/FixExzip.exe

  It just got onto my PC in spite of my fairly comprehensive defense mechanisms.  I wouldn't have known it was there if Zone Alarm Pro hadn't jumped up and asked if it was ok for explore.exe to access the network.

  If you run the fix and you're using XP, turn off System Restore first, as per the Symantec instructions.  And you might consider running it in safe mode - I couldn't get it to finish in regular mode - I think the bug itself was somehow affecting the process.

             PCSOFT maintains many useful files for download
                     visit our download web page at:
                  http://freepctech.com/downloads.shtml