Selected viruses, spyware, and other threats: sorted alphabetically
Win32/Vote.A is a worm written in Visual Basic. It spreads as an email file attachment. The subject of the message is "Fwd: Peace be between America and Islam!". In the message body there is the following text:
Is it a war against America or Islam !?
Let's vote to live in peace!
In the attachment of this message there is the file wtc.exe containing the worm code. After it is executed the worm sends its copy to each address in the address book of the client Microsoft Outlook.
On the disk the worm creates two files - Mixdalal.vbs and ZaCkEr.vbs. The worm executes the first of them and by doing so overwrites all files with the extensions htm or html which are present on local or accessible network disks by the following text:
AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You .
Activation of the second file is ensured by means of creating a key in the system registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\run\Norton.Thar. This causes its activation after a system restart. This script deletes all files present in the directory where the operating system Windows was installed. In addition it modifies the file C:\autoexec.bat – it overwrites it by the code echo y | format C:. This file is executed after a computer restart and causes formatting of the disk C:. The script displays the following window:
After that ZaCkEr.vbs itself triggers the computer to be turned
off and and there by brings about the need to restart the operating system.
The worm deletes the contents of directories according to the following list:
C:\Program Files\AntiViral Toolkit Pro
C:\Program Files\Command Software\F-PROT95
C:\Program Files\Quick Heal
C:\Program Files\Norton AntiVirus
© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.