1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Voltan

Voltan

ALIAS:W32/Voltan.A@mm, I-Worm.Voltan, Marque
VARIANT:Voltan.A

Summary

Voltan is a mass mailing worm that was found late evening on October 24th, 2003

The worm arrives in emails which contain a link to a web page from where a file could be downloaded. The emails contain text in Italian.

Additional Details

The mass-mailing routine of Voltan does not send the worm in the email. It sends a link to a website which first displays a message: 


 Il momento è catartico... per parafrasare un noto comico di ZELIG !!!



 [The moment is cathartic... to paraphrase a famous comedian from ZELIG !!!]

then offers a file named 'zelig.scr' for download. 'zelig.scr' is to body of the worm.

When the file is opened it opens a webpage in the default browser with the following content: 


 Congratulazioni !
 Il "CATARTICO" screen saver è stato installato con successo .



 [Congratulations !
  The CATHARTIC screen saver has been successfully installed]

It creates a value in the registry as

'HKLM\Control Panel\Screen Saver.Marquee\text'

with the text: 


 A volte ti sento cos? vicina...A volte ti sento cos? lontana
 ...Certo che hai proprio un cellulare di m**da!



 [Sometimes I can feel you so close...Sometimes I feel you so
  distant ...You sure have a sh*tty cell phone!]

To send emails Voltan first locates the Windows Address Book and reads the list of contacts from there. Using its own SMTP engine it sends the following emails to the contacts: 


 From: user@of.infected.computer
 To: friend@of.the.user.of.the.infected.computer
 Subject: Il momento e' catartico [The moment is cathartic]



 Body: Ricevo e cortesemente inoltro,.... un premio per la genialita
 hanno reso mitico un salva schermo scaricalo, "poesie catartiche",
 che non sai cosa ti perdi



 ciao



 [I received this and I'm forwarding it,... an award to genius
  they made this great a screen-saver download it, "cathartic poems",
  you don't know what you're missing]

If the worm can not find the email address of the user of the infected computer it uses a hardcoded address instead.

Voltan uses system DLLs which are not available on some systems. The worm does not work on Windows 95/98/ME and Windows NT4.

Detection

Detection in F-Secure Anti-Virus was published on October 25, 2003 in update:

[FSAV_Database_Version]
Version=2003-10-25_03

Write-up: Katrin Tocheva, Veli-Jussi Kesti

Translations: Fabrizio Cassoni

Technical Details: Gergely Erdelyi