W32/Vote.A@mm

description-logoAnalysis

  • Virus is 32bit with file size of 55,808 bytes
  • Virus was coded in Visual Basic 6 and requires VB6 runtime files in order to be a threat
  • If run on a host system, virus may send itself as a single message to each contact listed in the Outlook Address Book in this format -

    Subject = Fwd:Peace BeTweeN AmeriCa And IsLaM !
    Body =
    Hi
    iS iT A waR Against AmeriCa Or IsLaM !?
    Let's Vote To Live in Peace!
    Attachment = WTC.exe

  • Virus creates several files on the local system -

    C:\Windows\MixDaLaL.vbs - 1370 bytes
    C:\Windows\WTC.exe - 55808 bytes
    C:\Windows\System\ZaCker.vbs - 653 bytes

  • The virus initiates the file "MixDaLaL.vbs" - this VBScript component contains instructions which will replace the contents of all .HTM and .HTML files in all drives with a short text, then make the attribute of those files "hidden"

  • Next, the virus will modify the registry to load a VBS component at next Windows startup -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\
    Norton.Thar=C:\WINDOWS\SYSTEM\ZaCker.vbs

  • The component "ZaCker.vbs" contains instructions to delete all files in the Windows folder - the component also attempts to:

    • overwrite C:\AUTOEXEC.BAT with the instruction "echo y | format C:"
    • display a message "I promiss We WiLL Rule The World Again...By The Way,You Are Captured By ZaCker !!!"
    • exit Windows
  • The "Company Name" field in the file properties of WTC.exe is "ZaCker".


Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR