Threat Description

Email-Worm:​W32/Vote.B

Details

Aliases:Email-Worm:​W32/Vote.B
Category:Malware
Type:Email-Worm
Platform:W32

Summary



This type of worm is embedded in an e-mail attachment, and spreads using the infected computer's e-mailing networks.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Email-Worm:W32/Vote.B shares similar code to its predecessor, Vote.A, but includes a number of significant differences in function. A more recent variant, Vote.C, combines features of Vote.A and Vote.B. Vote.C is functionally identical to Vote.B, but is propagated via e-mail messages identical to those used to distribute Vote.A.

Propagation

Vote.B propagates in e-mail messages that look like this:

From: name-of-the-infected-user
To: random-name-from-address-book
Subject: Fwd: This War Must Be Done !
Hi We Must Fight , We Must ReMemBer Our Victims!

Attachment: WTC.exe 

Installation

Vote.B drops the following files:

  • [windows_dir]\Anti_TeRRoRisM.exe - worm binary
  • [windows_dir]\MixDaLaL.vbs - HTML destroyer script
  • [system_dir]\DaLaL.vbs - first part of payload
  • [system_dir]\WaiL.vbs - second part of payload

Unlike Vote.A, Vote.B does not try to remove any anti-virus program.

Activity

The payload routine was split to two parts. The first one tries to modify autoexec.bat and registers the second part. Autoexec.bat modification fortunately still does not work. The second part of the script is the one that deletes all the files from Windows folder then displays the following message:

Registry Modifications

Creates these keys:

  • [HKLM]\Software\Microsoft\Windows\CurrentVersion\run\ZaCker
  • [HKLM]\Software\Microsoft\Windows\CurrentVersion\run\ALWaiL





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More