Home / malwarePDF  

VBS.Zacker.C


First posted on 21 November 2011.
Source: BitDefender

Aliases :

VBS.Zacker.C is also known as N/A.

Explanation :

The virus is a java script file (created by another virus,Win32.Rezak.A@mm) which drops and launch a vbs file, named "C:
ol.vbs" .

The VBS file writes in the registry, in the key;
"HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsacker"
which stores the minute of the infection and in the key:
"HKEY_ CURENT_USERsoftwaremicrosoftinternet Explorermainstart Page"
with the value "http://www.orst.edu/groups/msa/everwonder.swf"
in order to load that web page when starting Internet Explorer.

It copies itself in a file named "zacker.vbs" in the system folder. It creates a html page, named "DaLal.htm" with a link to "http:/ /geocities.com/jobreee/main.htm".

It delete the folders of some antiviruses:

-Program Filesone Labs
-Program FilesAntiViral Toolkit Pro*.*
-Program FilesCommand SoftwareF-PROT95*.*
-eSafeProtect*.*
-PC-Cillin 95*.*
-PC-Cillin 97*.*
-Program FilesQuick Heal*.*
-Program FilesFWIN32*.*
-Program FilesFindVirus*.*
-ToolkitFindVirus*.*
-f-macro*.*
-Program FilesMcAfeeVirusScan95*.*
-Program FilesNorton AntiVirus*.*
-"TBAVW95*.*
-VS95*.*
-rescue*.*
-Program Filesone Labs*.*

It creates a copy of itself for every "lnk", "zip", "jpg", "jpeg", "mpg", "mpeg", "doc", "xls", "mdb", "txt", "ppt", "pps", "ram", "rm", "mp3", "mdb", "swf" file from every drive, with the same name as the file and with the extension ".vbs" . Then it deletes all this files.

It appends at every "htm", "html" and "asp" file the link
"http:/ /geocities.com/jobreee/main.htm" .

It infects "ini" files in order to send through mIRC the message:
"See This Site http:/ /geocities.com/jobreee/main.htm" .

In some cases (if the infection of all files takes exactly 30 minutes) it deletes the system folder and then it displays a message box with the message:

" America will never survive till it dismisses jews from its land
jews bring disasters to any pll they live with
i dunno why they are still alive !!!
lets kill them one by one
ZaCker"

and exit Windows.

Last update 21 November 2011

 

TOP

Malware :