My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

VBS.Zacker.C

LOW
HIGH
11035 bytes (JS) & 5922 bytes(VBS)
(N/A)

Symptoms

-a file named  "rol.vbs" in the root directory (default C:\)
-the registry key\"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Zacker" contains the minute of the infection beginning.
-a lot of VBS files with the same name as the "lnk", "zip", "jpg", "jpeg", "mpg", "mpeg\, "doc", "xls", "mdb", "txt", "ppt", "pps", "ram", "rm", "mp3", "mdb", "swf" files.
-Internet Explorer starts with a page that contain a link to\"http://www.orst.edu/groups/msa/everwonder.swf"

Removal instructions:

If you don't have BitDefender installed click here to download an evaluation version.

1. Make sure that you have the latest updates using
BitDefender Live!;

3. Make the following changes in the windows registry:

Please make sure to modify only the values that are specified. It is also recommended to backup
the Windows Registry before proceeding with these changes.

a) Select Run... from the Start menu, then type regedit and press Enter;
b) Delete the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Zacker



3. Perform a full scan of your system (selecting, from the Action tab, the option "Prompt
user for action"). Choose to delete all the files infected with VBS.Zacker.C.

4. Restore your default Internet Explorer Start Page.

Analyzed By

Mihaela Stoian BitDefender Virus Researcher

Technical Description:

The virus is a java script file (created by another virus,Win32.Rezak.A@mm) which drops and launch a vbs file, named  "C:\rol.vbs" .

The VBS file writes in the registry, in the key;
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Zacker"

which stores the minute of the infection and in the key:
"HKEY_ CURENT_USER\software\microsoft\internet Explorer\main\start Page"

with the value "http://www.orst.edu/groups/msa/everwonder.swf"
in order to load that web page when starting Internet Explorer.

It copies itself in a file named "zacker.vbs" in the system folder. It creates a html page, named "DaLal.htm" with a link to "http:/ /geocities.com/jobreee/main.htm".

It delete the folders of some antiviruses:

-Program Files\Zone Labs
-Program Files\AntiViral Toolkit Pro\*.*
-Program Files\Command Software\F-PROT95\*.*
-eSafe\Protect\*.*
-PC-Cillin 95\*.*
-PC-Cillin 97\*.*
-Program Files\Quick Heal\*.*
-Program Files\FWIN32\*.*
-Program Files\FindVirus\*.*
-Toolkit\FindVirus\*.*
-f-macro\*.*
-Program Files\McAfeeVirusScan95\*.*
-Program Files\Norton AntiVirus\*.*
-"TBAVW95\*.*
-VS95\*.*
-rescue\*.*
-Program Files\Zone Labs\*.*


It creates a copy of itself for every "lnk", "zip", "jpg", "jpeg", "mpg", "mpeg", "doc", "xls", "mdb", "txt", "ppt", "pps", "ram", "rm", "mp3", "mdb", "swf" file from every drive, with the same name as the file and with the extension ".vbs" . Then it deletes all this files.

It appends at every "htm", "html" and "asp" file the link
"http:/ /geocities.com/jobreee/main.htm"
.

It infects "ini" files in order to send through mIRC the message:
"See This Site http:/ /geocities.com/jobreee/main.htm" .

In some cases (if the infection of all files takes exactly 30 minutes) it deletes the system folder and then it displays a message box with the message:

" America will never survive till it dismisses jews from its land
jews bring disasters to any pll they live with
i dunno why they are still alive !!!
lets kill them one by one
ZaCker"


and exit Windows.