Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Vote.A@mm

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload
Detection files published 24 Sep 2001 03:00:00
Description created 25 Sep 2001 03:00:00
Description updated 25 Sep 2001 03:00:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Vote.A@mm

Spreading

When the file wtc.exe is executed it will drop two vbs script. One script is dropped to WindowsFolder, usually C:\Windows (Win9x/Me) and C:\Winnt (WinNT/2000) with the name MixDaLaL.vbs, and one script is dropped to WindowsSystemFolder, usually C:\Windows\System (Win9x/Me) and C:\Winnt\System (WinNT/2000) with the name ZaCker.vbs.

Payload Details

MixDaLaL.vbs searches through all local drives and network drives for *.HTM and *.HTML files and will overwrite all these files with the text:"AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You."Wtc.exe will create a registry key to load ZaCker.vbs at the next Windows Startup. ZaCker.vbs will delete the folder c:\windows then display a message box with the text:"I promiss We WiLL Rule The World Again...By The Way,You Are Captured By ZaCker !!!"When this is done it will try to add a format C: command to autoexec.bat.Wtc.exe will also try to disable several anti-virus programs by deleting some specific folders that are typically used by some anti-virus programs.

Analysis

n/a

Removal

If you are infected with this worm it is important that you do NOT restart the computer before you have deleted all infected files and removed the format c: command from the autoexec.bat file.


Last Updated: 12 Nov 2015 11:06:10