Threat Description



Aliases: Voltan, W32/Voltan.A@mm, I-Worm.Voltan, Marque, Voltan.A
Category: Malware
Type: Worm
Platform: W32


Voltan is a mass mailing worm that was found late evening on October 24th, 2003.

The worm arrives in emails which contain a link to a web page from where a file could be downloaded. The emails contain text in Italian.


Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Technical Details

The mass-mailing routine of Voltan does not send the worm in the email. It sends a link to a website which first displays a message:

Il momento - catartico... per parafrasare un noto comico di ZELIG !!!

 [The moment is cathartic... to paraphrase a famous comedian from ZELIG !!!]

then offers a file named 'zelig.scr' for download. 'zelig.scr' is to body of the worm.

When the file is opened it opens a webpage in the default browser with the following content:

Congratulazioni !
 Il "CATARTICO" screen saver - stato installato con successo .

 [Congratulations !
  The CATHARTIC screen saver has been successfully installed]

It creates a value in the registry as

'HKLM\Control Panel\Screen Saver.Marquee\text'

with the text:

A volte ti sento cos? vicina...A volte ti sento cos? lontana
 ...Certo che hai proprio un cellulare di m**da!

 [Sometimes I can feel you so close...Sometimes I feel you so
  distant ...You sure have a sh*tty cell phone!]

To send emails Voltan first locates the Windows Address Book and reads the list of contacts from there. Using its own SMTP engine it sends the following emails to the contacts:

 Subject: Il momento e' catartico [The moment is cathartic]

 Body: Ricevo e cortesemente inoltro,.... un premio per la genialita
 hanno reso mitico un salva schermo scaricalo, "poesie catartiche",
 che non sai cosa ti perdi


 [I received this and I'm forwarding it,... an award to genius
  they made this great a screen-saver download it, "cathartic poems",
  you don't know what you're missing]

If the worm can not find the email address of the user of the infected computer it uses a hardcoded address instead.

Voltan uses system DLLs which are not available on some systems. The worm does not work on Windows 95/98/ME and Windows NT4.

Translations:Fabrizio Cassoni


Detection in F-Secure Anti-Virus was published on October 25, 2003 in update:
Detection Type: PC
Database: 2003-10-25_03

Description Created: Katrin Tocheva, Veli-Jussi Kesti.
Technical Details: Gergely Erdelyi


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More