Help & HowTo: Reeezak

This 'Happy New Year' worm, which spreads by email, disables keyboards and redirects Internet Explorer to a political Web site
Written by Robert Vamosi, Contributor
Just in time for the holidays, the Reeezak worm (w32.reeezak.a@mm) is spreading its political message and dangerous payload across the Internet. Also known as Keyluc, Maldal.C, and Zacker.C, this worm uses Microsoft Outlook and MSN Messenger to collect email addresses. Reeezak also deletes the Windows System directory, disables antivirus software, and redirects Internet Explorer to a political message Web site that contains malicious code designed to spread across IRC. How it works
Reeezak is a politically and holiday-themed variation of the Zacker (w32.zacker@mm) or Maldal (w32.maldal@mm) family that arrives via email with the following information. The subject line reads "Happy New Year." The message text reads "Hi I can't describe my feelings But all i can say is Happy New Year :) bye" The attached file is Christmas.exe. When a user opens Christmas.exe, it shows a typical Flash media Christmas greeting card, with Santa and one reindeer against a snowy background. Behind the scenes, Reeezak attempts to delete the Windows System directory, rendering the computer unusable unless the operating system is reinstalled or restored from backup. (Note: At least one antivirus vendor reports that Windows System files are not deleted if the user has Visual Basic 6.0 installed.) Reeezak may also disable antivirus software by deleting these associated files: Zone Labs
AntiViral Toolkit Pro
Command Software\F-PROT95
PC-Cillin 95
PC-Cillin 97
Quick Heal
McAfee VirusScan95
Norton AntiVirus
The registered name of the infected Windows computer changes to ZaCker. Reeezak may also disable the keyboard on infected computers. Reeezak attempts to redirect Internet Explorer's home page to an infected Web site displaying the following message: "Sharoon = a war crimenal
Bush supports him
Bush = a war crimenal
American people must protect their country
otherwise, their
government will lead them to the hell ! Best Regards
America Lovers
ZA-UNION" This Web page contains JavaScript that downloads an infected script called Outlook.vbs, which sends a second message to contacts listed in the Outlook address book. This secondary message reads, "subject: Very important !!! In body text, it reads, "See this page http://geocities.com/Xxxxxxx/xxx.htm," which is the infected Web page. Reeezak may also spread across networks with open network shares. Prevention
Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe from Reeezak. Users who have not upgraded to Outlook 2002 or who have not installed the Outlook 98 Security Patch or the Outlook 2000 Security Patch should do so. In general, do not open attached files in e-mail without first saving them to hard disk and scanning them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signature files that include Reeezak. Removal
Almost all the antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Panda, Sophos, Symantec and Trend Micro.
Editorial standards