Voltan is a mass mailing worm that was found late evening on October 24th, 2003.
The worm arrives in emails which contain a link to a web page from where a file could be downloaded. The emails contain text in Italian.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
The mass-mailing routine of Voltan does not send the worm in the email. It sends a link to a website which first displays a message:
Il momento - catartico... per parafrasare un noto comico di ZELIG !!! [The moment is cathartic... to paraphrase a famous comedian from ZELIG !!!]
then offers a file named 'zelig.scr' for download. 'zelig.scr' is to body of the worm.
When the file is opened it opens a webpage in the default browser with the following content:
Congratulazioni ! Il "CATARTICO" screen saver - stato installato con successo . [Congratulations ! The CATHARTIC screen saver has been successfully installed]
It creates a value in the registry as
'HKLM\Control Panel\Screen Saver.Marquee\text'
with the text:
A volte ti sento cos? vicina...A volte ti sento cos? lontana ...Certo che hai proprio un cellulare di m**da! [Sometimes I can feel you so close...Sometimes I feel you so distant ...You sure have a sh*tty cell phone!]
To send emails Voltan first locates the Windows Address Book and reads the list of contacts from there. Using its own SMTP engine it sends the following emails to the contacts:
From: firstname.lastname@example.org To: email@example.com Subject: Il momento e' catartico [The moment is cathartic] Body: Ricevo e cortesemente inoltro,.... un premio per la genialita hanno reso mitico un salva schermo scaricalo, "poesie catartiche", che non sai cosa ti perdi ciao [I received this and I'm forwarding it,... an award to genius they made this great a screen-saver download it, "cathartic poems", you don't know what you're missing]
If the worm can not find the email address of the user of the infected computer it uses a hardcoded address instead.
Voltan uses system DLLs which are not available on some systems. The worm does not work on Windows 95/98/ME and Windows NT4.
Detection in F-Secure Anti-Virus was published on October 25, 2003 in
Detection Type: PC
Description Created: Katrin Tocheva, Veli-Jussi Kesti.
Technical Details: Gergely Erdelyi