Email-Worm:W32/Vote.B shares similar code to its predecessor, Vote.A, but includes a number of significant differences in function.
A more recent variant, Vote.C, combines features of Vote.A and Vote.B. Vote.C is functionally identical to Vote.B, but is propagated via e-mail messages identical to those used to distribute Vote.A.
Vote.B propagates in e-mail messages thatÂ look like this:
- From: name-of-the-infected-user
- To: random-name-from-address-book
- Subject: Fwd: This War Must Be Done !
We Must Fight , We Must ReMemBer Our Victims!
- Attachment: WTC.exe
Vote.B drops the following files:
- [windows_dir]\Anti_TeRRoRisM.exe - worm binary
- [windows_dir]\MixDaLaL.vbs - HTML destroyer script
- [system_dir]\DaLaL.vbs - first part of payload
- [system_dir]\WaiL.vbs - second part of payload
Unlike Vote.A, Vote.B does not try to remove any anti-virus program.
The payload routine was split to two parts. The first one tries to modify autoexec.bat and registers the second part. Autoexec.bat modification fortunately still does not work.
The second part of the script is the one that deletes all the files from Windows folder then displays the following message: