Related Resources • Vulnerable Security • Infected Attachments • Virus Encyclopedia • Glossary of terms

Removing the worm
Due to the complex nature of this worm and the number of possible viruses downloaded from the infected website, it is strongly recommended that updated antivirus software be used to accurately identify and remove affected files. For those wishing to proceed with manual removal, a list of possible files, their locations, and the necessary registry edits follows:

Registry Edits
Edit the Registry and remove the value Zacker = C:\windows\Christmas.exe from the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Edit the Registry and correct the value HKLM\System\CurrentControlSet\Control\ComputerName\Zacker so that the proper ComputerName is displayed.
Edit the Registry and correct the value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main so that the value for Start Page shows the desired start page for Internet Explorer and not the infected geocities site.

Infected Files Various aspects of the worm(s) drop the following files to the system:
christmas.exe
outlook.vbs
zacker.vbs
rol.vbs"
dalal.htm"
dallah.htm"
server.vbs"
Christmas.exe will be found in C:\Windows and server.vbs will be at the root of any mapped drives. The remaining files will be found in C:\Windows\System.

The worm also appends the contents of dalal.htm to any files found with .asp, .htm, or .html extensions and, according to F-Secure, deletes any files with the extensions ".lnk", ".zip", ".jpg", ".jpeg", ".mpg", ".mpeg", ".doc", ".xls", ".mdb", ".txt", ".ppt", ".pps", ".ram", ".rm", ".mp3" and ".swf". After deleting a file, it will create a copy of itself with the same name and extension as the original file but adds ".vbs" extension into the name. The mIRC configuration file, mirc.ini, is also replaced by the worm, so that users joining a channel inhabited by an infected user will also be sent the url to the website.