|The worm uses standard Windows Mail API to access the user's address book. This affects users of MAPI compatible e-mail clients, mainly Microsoft Outlook.
The e-mails sent by the worm look like this:
Subject: Fwd:Peace BeTween AmeriCa and IsLaM !
iS iT waR Against AmeriCa Or IsLaM !?
Let's Vote To Live in Peace!
The following files are deleted from the hard drive:
'C:\Program Files\AntiViral Toolkit Pro\*.*'
'C:\Program Files\Command Software\F-PROT95\*.*'
'C:\Program Files\Quick Heal\*.*'
'C:\Program Files\Norton AntiVirus\*.*'
This way it tries to disable several anti-virus programs.
The worm opens up two Internet Explorer windows. One is a faked voting booth. The other one tries to download a trojan called Barrio 5.0. The Internet Explorer start page is set to this one.
Barrio trojan is mainly designed for collecting and sending passwords from the victim machine. It can collect dial-up passwords, ICQ UIN and password, etc. and send them to a pre-defined e-mail address.
'[windows_dir]\MixDaLaL.vbs' is a Visual Basic Script that searches trough all the available fixed and network drives for .HTM and .HTML files. The content of all these files is replaced with this text:
'AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn
>>> ZaCkEr is So Sorry For You .'
'ZaCker.vbs' is dropped to the windows system directory and added to the registry as:
so it will be started after the next reboot.
After this it modifies the autoexec.bat so that it would format c: drive after the next reboot. This part of the script is broken so autoexec.bat will be empty. It tries to reboot the system that will not happen since the program called for reboot was just deleted.
'[windows_dir]\WTC.exe' - worm binary
'[windows_dir]\MixDaLaL.vbs' - HTML destroyer script
'[system_dir]\ZaCker.vbs' - payload (disk eraser)
Added registry key: