Virus

W32/Vote.A@mm

Analysis

  • Virus is 32bit with file size of 55,808 bytes
  • Virus was coded in Visual Basic 6 and requires VB6 runtime files in order to be a threat
  • If run on a host system, virus may send itself as a single message to each contact listed in the Outlook Address Book in this format -

    Subject = Fwd:Peace BeTweeN AmeriCa And IsLaM !
    Body =
    Hi
    iS iT A waR Against AmeriCa Or IsLaM !?
    Let's Vote To Live in Peace!
    Attachment = WTC.exe

  • Virus creates several files on the local system -

    C:\Windows\MixDaLaL.vbs - 1370 bytes
    C:\Windows\WTC.exe - 55808 bytes
    C:\Windows\System\ZaCker.vbs - 653 bytes

  • The virus initiates the file "MixDaLaL.vbs" - this VBScript component contains instructions which will replace the contents of all .HTM and .HTML files in all drives with a short text, then make the attribute of those files "hidden"

  • Next, the virus will modify the registry to load a VBS component at next Windows startup -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\
    Norton.Thar=C:\WINDOWS\SYSTEM\ZaCker.vbs

  • The component "ZaCker.vbs" contains instructions to delete all files in the Windows folder - the component also attempts to:

    • overwrite C:\AUTOEXEC.BAT with the instruction "echo y | format C:"
    • display a message "I promiss We WiLL Rule The World Again...By The Way,You Are Captured By ZaCker !!!"
    • exit Windows
  • The "Company Name" field in the file properties of WTC.exe is "ZaCker".