FRISK Software International


Summary of W32/Vote@mm
Alias:WTC, Vote, I-Worm.Vote
Length: size in bytes
Discovered: 24 Sep 2001
Definition files: 24 Sep 2001
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
Vote is a simple Visual Basic virus which uses the WTC tragedy as a ploy to get people to execute it. It spreads further via e-mail as a mass mailer.


Technical Description
The worm uses standard Windows Mail API to access the user's address book. This affects users of MAPI compatible e-mail clients, mainly Microsoft Outlook.

The e-mails sent by the worm look like this:


 From: name-of-the-infected-user
  To: random-name-from-address-book
  Subject: Fwd:Peace BeTween AmeriCa and IsLaM !


  Hi
  iS iT waR Against AmeriCa Or IsLaM !?
  Let's Vote To Live in Peace!


  Attachment: WTC.exe

The following files are deleted from the hard drive:

 'C:\Program Files\AntiViral Toolkit Pro\*.*'
 'C:\eSafe\Protect\*.*'
 'C:\Program Files\Command Software\F-PROT95\*.*'
 'C:\PC-Cillin 95\*.*'
 'C:\PC-Cillin 97\*.*'
 'C:\Program Files\Quick Heal\*.*'
 'C:\Program Files\FWIN32\*.*'
 'C:\Program Files\FindVirus\*.*'
 'C:\Toolkit\FindVirus\*.*'
 'C:\f-macro\*.*'
 'C:\Program Files\McAfee\VirusScan95\*.*'
 'C:\Program Files\Norton AntiVirus\*.*'
 'C:\TBAVW95\*.*'
 'C:\VS95\*.*'

This way it tries to disable several anti-virus programs.

Trojan installation

The worm opens up two Internet Explorer windows. One is a faked voting booth. The other one tries to download a trojan called Barrio 5.0. The Internet Explorer start page is set to this one.

Barrio trojan is mainly designed for collecting and sending passwords from the victim machine. It can collect dial-up passwords, ICQ UIN and password, etc. and send them to a pre-defined e-mail address.

Script Components

'[windows_dir]\MixDaLaL.vbs' is a Visual Basic Script that searches trough all the available fixed and network drives for .HTM and .HTML files. The content of all these files is replaced with this text:

'AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn
>>> ZaCkEr is So Sorry For You .' 
'ZaCker.vbs' is dropped to the windows system directory and added to the registry as:

'[HKLM]\Software\Microsoft\Windows\CurrentVersion\run\Norton.Thar' 
so it will be started after the next reboot.

After this it modifies the autoexec.bat so that it would format c: drive after the next reboot. This part of the script is broken so autoexec.bat will be empty. It tries to reboot the system that will not happen since the program called for reboot was just deleted.

Dropped files:




 '[windows_dir]\WTC.exe' - worm binary
 '[windows_dir]\MixDaLaL.vbs' - HTML destroyer script
 '[system_dir]\ZaCker.vbs' - payload (disk eraser)

Added registry key:

 '[HKLM]\Software\Microsoft\Windows\CurrentVersion\run\Norton.Thar'


Removal Instructions
If the worm was activated once the system must not be restarted before the system is cleaned up properly otherwise the payload will be triggered.

All the dropped files and added registry keys must be removed.

In the case of the original Vote the affected application (that Vote tries to remove) must be reinstalled.

All the destroyed .HTML and .HTM file must be restored from backup files.

[Analysis: Katrin Tocheva, Gergely Erdelyi, Mikko Hypponen; F-Secure Corp., 25-27th of September, 2001]
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is