Spreading description

When the file wtc.exe is executed it will drop two vbs script. One script is dropped to WindowsFolder, usually C:\Windows (Win9x/Me) and C:\Winnt (WinNT/2000) with the name MixDaLaL.vbs, and one script is dropped to WindowsSystemFolder, usually C:\Windows\System (Win9x/Me) and C:\Winnt\System (WinNT/2000) with the name ZaCker.vbs.

Threat description

MixDaLaL.vbs searches through all local drives and network drives for *.HTM and *.HTML files and will overwrite all these files with the text:

"AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You."

Wtc.exe will create a registry key to load ZaCker.vbs at the next Windows Startup. ZaCker.vbs will delete the folder c:\windows then display a message box with the text:

"I promiss We WiLL Rule The World Again...By The Way,You Are Captured By ZaCker !!!"

When this is done it will try to add a format C: command to autoexec.bat.

Wtc.exe will also try to disable several anti-virus programs by deleting some specific folders that are typically used by some anti-virus programs.

Removal

If you are infected with this worm it is important that you do NOT restart the computer before you have deleted all infected files and removed the format c: command from the autoexec.bat file.
 

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Utilizzo	Titolo	Commento
	Blocco dei virus che infettano le condivisioni di rete
	Cleaning of back-up folders on Windows Me and XP