A new Internet Virus named Vote

A new Internet Virus named Vote (W32.Vote.A@mm) is making the rounds to Email inboxes across the world. Windstream Internet has taken significant precautions to minimize the impact of this virus on subscribers. In fact, most of these precautions were in place before the virus outbreak, therefore, most of our subscribers with Windstream Internet have not been affected. However, in spite of these precautions, some of our customers may potentially be affected by the Virus. Below is a brief description of the virus and what you can do to protect yourself:

The virus Vote (W32.Vote.A@mm) will send itself out to every address in one's Microsoft Outlook address book, it will also attempts to delete Windows directory files and/or reformat the infected user’s hard drive. At present Vote is not spreading very fast

W32/Vote@MM is a mass-mailing worm which can delete system files. It arrives with an email message containing the following information:

Subject: Fwd:Peace BeTweeN AmeriCa And IsLaM !
Body:

Hi
iS iT A waR Against AmeriCa Or IsLaM !?
Let's Vote To Live in Peace!

Attachment: WTC.EXE

When the attachment is run, two VBScript files are created, MixDaLaL.vbs and ZaCker.vbs. MixDaLaL.vbs is saved to the WINDOWS directory and run immediately. It overwrites all .HTM and .HTML files on all fixed and network drives with the text:

AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You .

The hidden file attribute is also set on these files.

ZaCker.vbs is created in the WINDOWS SYSTEM directory and a registry key is created to run this file at startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Norton.Thar=C:\WINDOWS\SYSTEM\ZaCker.vbs

ZaCker.vbs contains instructions to delete all files in the WINDOWS directory, add a FORMAT C: command to the AUTOEXEC.BAT file (this action fails), display a message box containing the text "I promiss We WiLL Rule The World Again...By The Way,You Are Captured By ZaCker !!!", and exit Windows (this fails as well).

The main executable attempts to delete anti-virus software from specific directories. It also tried to download a trojan from a YAHOO users site, which is detected as PWS-CT with the 4088 DATs and greater.

We recommend using the Virus protection software which comes on most computers or click here to purchase a Virus protection application.

Windstream, as always, will continue to try to make your Internet experience as enjoyable, useful, and risk-free as possible.