1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Email-Worm:W32/Vote.B

Email-Worm:W32/Vote.B

Name : Email-Worm:W32/Vote.B
Category:Malware
Type:Email-Worm
Platform:W32

Summary

This type of worm is embedded in an e-mail attachment, and spreads using the infected computer's e-mailing networks.

Details


Registry Modifications
Creates these keys:

  •  [HKLM]\Software\Microsoft\Windows\CurrentVersion\run\ZaCker
  • [HKLM]\Software\Microsoft\Windows\CurrentVersion\run\ALWaiL


Additional Details

Email-Worm:W32/Vote.B shares similar code to its predecessor, Vote.A, but includes a number of significant differences in function.

A more recent variant, Vote.C, combines features of Vote.A and Vote.B. Vote.C is functionally identical to Vote.B, but is propagated via e-mail messages identical to those used to distribute Vote.A.


Propagation

Vote.B propagates in e-mail messages that  look like this:

  •  From: name-of-the-infected-user
  • To: random-name-from-address-book
  • Subject: Fwd: This War Must Be Done !

      Hi
      We Must Fight , We Must ReMemBer Our Victims!

  • Attachment: WTC.exe


Installation

Vote.B drops the following files:

  •  [windows_dir]\Anti_TeRRoRisM.exe -  worm binary
  • [windows_dir]\MixDaLaL.vbs -  HTML destroyer script
  • [system_dir]\DaLaL.vbs -  first part of payload
  • [system_dir]\WaiL.vbs -  second part of payload

Unlike Vote.A, Vote.B does not try to remove any anti-virus program.

Activity

The payload routine was split to two parts. The first one tries to modify autoexec.bat and registers the second part. Autoexec.bat modification fortunately still does not work.

The second part of the script is the one that deletes all the files from Windows folder then displays the following message: