Trojan Makes Travesty of Tragedy
Social engineering schmucks create WTC Trojan
Imagine a virus writer with no conscience and a really sick imagination. The mass-mailing email worm, Vote.A, is the viral product of just such a person. Pretending to be a means to vote for peace between Islam and America, the worm arrives in email with the subject line:
Peace BeTweeN AmeriCa and IsLaM!
and body text that reads:
Hi
iS iT A waR Against AmeriCa Or IsLaM !?
Let's Vote To Live in Peace!
The attachment, WTC.EXE, carries a malicious payload capable of deleting system files and reformatting the hard drive. The worm also attempts deletion of antivirus programs installed in default locations.
When executed, the Vote.A worm drops two files on the system: ZaCker.vbs is placed in the Windows directory and MixDaLaL.vbs is placed in the Windows\System folder. Vote.A also attempts to download a backdoor access Trojan that, if successful, could grant an unsavory third-party the same access rights as the legitimate user. According to antivirus vendor Symantec, the MixDaLaL.vbs file is responsible for seeking out files with the extensions .htm or .html and overwriting them with the message:
AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You
The system registry is modified to call ZaCker.vbs at the next system startup, at which time the worm attempts to delete all files in the Windows directory. It also overwrites the Autoexec.bat file, adding the command to reformat the hard drive. On Windows systems that invoke the Autoexec.bat file on startup, the subsequent boot up after this modification would result in the drive being reformatted. Finally, the worm displays the following dialog:
Graphic courtesy of Symantec®
Manual Removal
Do not reboot the system until the following steps have been taken:
1. Modify the system registry to remove the subkey:
Norton.Thar C:\Windows\System\ZaCker.vbs
from the registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
2. Modify the autoexec.bat file to remove the line
echo Y | format C
3. Delete the following files:
Windows\ZaCker.vbs
Windows\System\MixDaLaL.vbs
Prevention
Even in the best of times, email attachments should be viewed with suspicion. Given current world events, blocking of all executable-type attachments is a reasonable and prudent precaution. Additionally, antivirus software should be updated as often as the vendor makes updates available.
Email this page! |
