Threat Descriptions

Voltan

Classification

Category :

Malware

Type :

Worm

Platform :

W32

Aliases :

Voltan, W32/Voltan.A@mm, I-Worm.Voltan, Marque, Voltan.A

Summary

Voltan is a mass mailing worm that was found late evening on October 24th, 2003.

The worm arrives in emails which contain a link to a web page from where a file could be downloaded. The emails contain text in Italian.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The mass-mailing routine of Voltan does not send the worm in the email. It sends a link to a website which first displays a message: 

Il momento - catartico... per parafrasare un noto comico di ZELIG !!!
 [The moment is cathartic... to paraphrase a famous comedian from ZELIG !!!]

then offers a file named 'zelig.scr' for download. 'zelig.scr' is to body of the worm.

When the file is opened it opens a webpage in the default browser with the following content: 

Congratulazioni !
Il "CATARTICO" screen saver - stato installato con successo .
 [Congratulations !
 The CATHARTIC screen saver has been successfully installed]

It creates a value in the registry as

'HKLM\Control Panel\Screen Saver.Marquee\text'

with the text:

A volte ti sento cos? vicina...A volte ti sento cos? lontana
...Certo che hai proprio un cellulare di m**da!
 [Sometimes I can feel you so close...Sometimes I feel you so
 distant ...You sure have a sh*tty cell phone!]

To send emails Voltan first locates the Windows Address Book and reads the list of contacts from there. Using its own SMTP engine it sends the following emails to the contacts: 

From: user@of.infected.computer
To: friend@of.the.user.of.the.infected.computer
Subject: Il momento e' catartico [The moment is cathartic]
 Body: Ricevo e cortesemente inoltro,.... un premio per la genialita
hanno reso mitico un salva schermo scaricalo, "poesie catartiche",
che non sai cosa ti perdi
 ciao
 [I received this and I'm forwarding it,... an award to genius
 they made this great a screen-saver download it, "cathartic poems",
 you don't know what you're missing]

If the worm can not find the email address of the user of the infected computer it uses a hardcoded address instead.

Voltan uses system DLLs which are not available on some systems. The worm does not work on Windows 95/98/ME and Windows NT4.

Translations:Fabrizio Cassoni