F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Voltan

[Summary] | [Detailed Description] | [Detection]



NAME:Voltan
ALIAS:W32/Voltan.A@mm, I-Worm.Voltan, Marque
VARIANT:Voltan.A

Summary

Voltan is a mass mailing worm that was found late evening on October 24th, 2003

The worm arrives in emails which contain a link to a web page from where a file could be downloaded. The emails contain text in Italian.

Detailed Description

The mass-mailing routine of Voltan does not send the worm in the email. It sends a link to a website which first displays a message: 

 Il momento è catartico... per parafrasare un noto comico di ZELIG !!!


 [The moment is cathartic... to paraphrase a famous comedian from ZELIG !!!]

then offers a file named 'zelig.scr' for download. 'zelig.scr' is to body of the worm.

When the file is opened it opens a webpage in the default browser with the following content: 

 Congratulazioni !
 Il "CATARTICO" screen saver è stato installato con successo .


 [Congratulations !
  The CATHARTIC screen saver has been successfully installed]

It creates a value in the registry as

'HKLM\Control Panel\Screen Saver.Marquee\text'

with the text: 

 A volte ti sento cos? vicina...A volte ti sento cos? lontana
 ...Certo che hai proprio un cellulare di m**da!


 [Sometimes I can feel you so close...Sometimes I feel you so
  distant ...You sure have a sh*tty cell phone!]

To send emails Voltan first locates the Windows Address Book and reads the list of contacts from there. Using its own SMTP engine it sends the following emails to the contacts: 

 From: user@of.infected.computer
 To: friend@of.the.user.of.the.infected.computer
 Subject: Il momento e' catartico [The moment is cathartic]


 Body: Ricevo e cortesemente inoltro,.... un premio per la genialita
 hanno reso mitico un salva schermo scaricalo, "poesie catartiche",
 che non sai cosa ti perdi


 ciao


 [I received this and I'm forwarding it,... an award to genius
  they made this great a screen-saver download it, "cathartic poems",
  you don't know what you're missing]

If the worm can not find the email address of the user of the infected computer it uses a hardcoded address instead.

Voltan uses system DLLs which are not available on some systems. The worm does not work on Windows 95/98/ME and Windows NT4.


Back to the Top


Detection

Detection in F-Secure Anti-Virus was published on October 25, 2003 in update:

[FSAV_Database_Version]

Version=2003-10-25_03

Back to the Top


Write-up: Katrin Tocheva, Veli-Jussi Kesti

Translations: Fabrizio Cassoni

Technical Details: Gergely Erdelyi

F-Secure Corporation, October 25th, 2003