F-Secure
Tools
Email-Worm:W32/Vote
| Name : | Email-Worm:W32/Vote |
| Category: | Malware |
| Type: | Email-Worm |
| Platform: | W32 |
Summary
This type of worm is embedded in an e-mail attachment, and spreads using the infected computer's e-mailing networks.
Disinfection
Removal instructions for Vote variants
If the worm has been activated once the system must not be restarted before it is properly cleaned; otherwise, the payload will be triggered.
To clean the system, the following actions should be taken:
If the worm has been activated once the system must not be restarted before it is properly cleaned; otherwise, the payload will be triggered.
To clean the system, the following actions should be taken:
• All the dropped files and added registry keys must be removed.
• If Vote.A is present, the affected applications (i.e., the ones Vote.A attempts to remove) must be reinstalled.
• All the destroyed HTML and HTM file must be restored from backup files.
Details
File System Changes
Removes these files:
• C:\Program Files\AntiViral Toolkit Pro\*.*'
• C:\eSafe\Protect\*.*'
• C:\Program Files\Command Software\F-PROT95\*.*'
• C:\PC-Cillin 95\*.*'
• C:\PC-Cillin 97\*.*'
• C:\Program Files\Quick Heal\*.*'
• C:\Program Files\FWIN32\*.*'
• C:\Program Files\FindVirus\*.*'
• C:\Toolkit\FindVirus\*.*'
• C:\f-macro\*.*'
• C:\Program Files\McAfee\VirusScan95\*.*'
• C:\Program Files\Norton AntiVirus\*.*'
• C:\TBAVW95\*.*'
• C:\VS95\*.*'
Additional Details
Email-Worm:W32/Vote is a family of e-mail worms that use the September 11 terrorist attacks as a ploy to get people to execute it. The worms are written in Visual Basic.
On execution, Vote will attempt to download a trojan onto the machine in addition to propagating itself. The worm also includes a number of dangerous routines.
The details below describe the Vote.A variant. For more details of the other variants, please see:
Vote.A was first reported on the 24th of September, 2001 - 13 days after the WTC tragedy. It appears to be written by a teenager.
Propagation
The worm uses standard Windows Mail API to access the user's address book. This affects users of MAPI compatible e-mail clients, mainly Microsoft Outlook.
The e-mails sent by the worm look like this:
Installation
If the e-mail file attachment is run, the worm is executed and drops the following files on the system:
The main worm executable (WTC.exe) then deletes a variety of files from the system in order to try and disable several antivirus programs.
Activity
The other two files dropped by the worm are scripts. '[windows_dir]\MixDaLaL.vbs' is a Visual Basic Script that searches through all the available fixed and network drives for .HTM and .HTML files. The content of all these files is replaced with this text:
ZaCker.vbs first deletes all files from the Windows folder. It then displays a message:
After displaying the message, the script modifies the autoexec.bat file in order to format the C: drive after the next reboot. This part of the script is broken, resulting in the autoexec.bat being empty. The script's attempt to reboot the system fails as the program called for reboot is deleted.
While active, the worm opens two windows in the Microsoft Internet Explorer web browser. The first is a faked voting booth. The second page is set to download a trojan called Barrio 5.0. The browser's start page is also set to this second page.
If successfully downloaded, the Barrio trojan collects passwords (dialup, ICQ, UIN, etc) and fowards them to a pre-defined e-mail address.
Registry
The 'ZaCker.vbs script adds the following registry key to ensure it is started on the next system reboot:
Activity
Once installed, the worm changes the startup page of Internet Explorer to point to the worm's file at "c:\Windows\WTC32.scr".
After performing its mass-mailing routine, the worm displays one or more message boxes with different messages, for example:
Some of these messages are very insulting and contain bad language.
The worm's payload also includes dangerous routines. These are:
On execution, Vote will attempt to download a trojan onto the machine in addition to propagating itself. The worm also includes a number of dangerous routines.
The details below describe the Vote.A variant. For more details of the other variants, please see:
Vote.A was first reported on the 24th of September, 2001 - 13 days after the WTC tragedy. It appears to be written by a teenager.
Propagation
The worm uses standard Windows Mail API to access the user's address book. This affects users of MAPI compatible e-mail clients, mainly Microsoft Outlook.
The e-mails sent by the worm look like this:
• From: name-of-the-infected-user
To: random-name-from-address-book
Subject: Fwd:Peace BeTween AmeriCa and IsLaM !
Hi
iS iT waR Against AmeriCa Or IsLaM !?
Let's Vote To Live in Peace!
Attachment: WTC.exe
To: random-name-from-address-book
Subject: Fwd:Peace BeTween AmeriCa and IsLaM !
Hi
iS iT waR Against AmeriCa Or IsLaM !?
Let's Vote To Live in Peace!
Attachment: WTC.exe
Installation
If the e-mail file attachment is run, the worm is executed and drops the following files on the system:
• [windows_dir]\WTC.exe' - worm binary
• [windows_dir]\MixDaLaL.vbs' - HTML destroyer script
• [system_dir]\ZaCker.vbs' - payload (disk eraser)
The main worm executable (WTC.exe) then deletes a variety of files from the system in order to try and disable several antivirus programs.
Activity
The other two files dropped by the worm are scripts. '[windows_dir]\MixDaLaL.vbs' is a Visual Basic Script that searches through all the available fixed and network drives for .HTM and .HTML files. The content of all these files is replaced with this text:
• 'AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>>
ZaCkEr is So Sorry For You .'
ZaCkEr is So Sorry For You .'
ZaCker.vbs first deletes all files from the Windows folder. It then displays a message:
After displaying the message, the script modifies the autoexec.bat file in order to format the C: drive after the next reboot. This part of the script is broken, resulting in the autoexec.bat being empty. The script's attempt to reboot the system fails as the program called for reboot is deleted.
While active, the worm opens two windows in the Microsoft Internet Explorer web browser. The first is a faked voting booth. The second page is set to download a trojan called Barrio 5.0. The browser's start page is also set to this second page.
If successfully downloaded, the Barrio trojan collects passwords (dialup, ICQ, UIN, etc) and fowards them to a pre-defined e-mail address.
Registry
The 'ZaCker.vbs script adds the following registry key to ensure it is started on the next system reboot:
• [HKLM]\Software\Microsoft\Windows\CurrentVersion\run\Norton.Thar'
Activity
Once installed, the worm changes the startup page of Internet Explorer to point to the worm's file at "c:\Windows\WTC32.scr".
After performing its mass-mailing routine, the worm displays one or more message boxes with different messages, for example:
• WORLD TRADE CENTER
• WE WILL ALWAYS REMEMBER THOSE LOST SOULS...
Some of these messages are very insulting and contain bad language.
The worm's payload also includes dangerous routines. These are:
• Deleting all DLL files in C:\Windows\System32\ folder.
• Locating files with the following extensions - wav .mp3 .jpg .bmp .zip .rar .doc - and writing itself with the name of those files and an additional .exe extension. The original files are deleted.
• Overwriting all .exe and .scr files with its body.
| Variant: | Vote.D |
Vote.D is an e-mail worm written in Visual Basic. It spreads to all recipients found in Outlook Address Book. The sent e-mail messages look as follows: Subject: WORLD TRADE CENTER PICTURES Body: Remember The Times.......MAYBE THEY WILL BE BACK....!!! Attachment: WTC32.scr Where is the recipient's name. The attachment is always WTC32.scr. It is a PE executable 61440 bytes long. When a user runs the infected attachment, the worm copies itself to system with the following names: c:\windows\notepad.exe c:\Windows\WTC32.scr c:\Autorun.com Since the path "c:\Windows\" is hard-coded, Vote.D won't work if Windows is installed in a folder different from "c:\windows". After copying its files to a hard disk the worm creates a startup key for one of its files in the Registry: [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\W32Tc] @ = "c:\Windows\WTC32.scr" Additionally the worm changes the startup page of Internet Explorer to point to the worm's file "c:\Windows\WTC32.scr". After the mass mailing, the worm displays one or more messageboxes with different messages, for example: WORLD TRADE CENTER WE WILL ALWAYS REMEMBER THOSE LOST SOULS... 
Some of these messages are very insulting and contain bad language. Payload The worm has a dangerous payload. It does the following: 1. Deletes all DLL files in C:\Windows\System32\ folder. 2. Locates files with the following extensions: .wav .mp3 .jpg .bmp .zip .rar .doc and writes itself with the name of those files and additional .exe extension. The original files are deleted. 3. Overwrites all .exe and .scr files with its body. Vote.D worm changes the Registered Owner and Registered Organization settings of Windows to: YOU ARE A VICTIM OF THE WORLD TRADE CENTER The worm changes the Product Name setting of Windows to: w32.hllp.I-Worm.WTC.03 Vote.D can create a lot of its copies with randomly-generated names in c:\Windows\Systm32\BkUp folder. The worm can play the "GUESS A NUMBER" game with a user of an infected computer. It asks: "GUESS A NUMBER From 1 to 50" and waits for the answer. If the answer is right, the worm displays "Alright!", otherwise it displays "Sorry !". F-Secure Anti-Virus detects Vote.D worm as I-Worm.generic
Some of these messages are very insulting and contain bad language. Payload The worm has a dangerous payload. It does the following: 1. Deletes all DLL files in C:\Windows\System32\ folder. 2. Locates files with the following extensions: .wav .mp3 .jpg .bmp .zip .rar .doc and writes itself with the name of those files and additional .exe extension. The original files are deleted. 3. Overwrites all .exe and .scr files with its body. Vote.D worm changes the Registered Owner and Registered Organization settings of Windows to: YOU ARE A VICTIM OF THE WORLD TRADE CENTER The worm changes the Product Name setting of Windows to: w32.hllp.I-Worm.WTC.03 Vote.D can create a lot of its copies with randomly-generated names in c:\Windows\Systm32\BkUp folder. The worm can play the "GUESS A NUMBER" game with a user of an infected computer. It asks: "GUESS A NUMBER From 1 to 50" and waits for the answer. If the answer is right, the worm displays "Alright!", otherwise it displays "Sorry !". F-Secure Anti-Virus detects Vote.D worm as I-Worm.generic| Variant: | Vote.B |
This variant has quite significant differences from the original version but the basic code is the same. Vote.b does not try to remove any anti-virus program as the original version did. The messages sent by this one look like this: From: name-of-the-infected-user To: random-name-from-address-book Subject: Fwd: This War Must Be Done ! Hi We Must Fight , We Must ReMemBer Our Victims! Attachment: WTC.exe The payload routine was split to two parts. The first one tries to modify autoexec.bat and registers the second part. Autoexec.bat modification fortunately still does not work. The second part of the script is the one that deletes all the files from Windows folder then displays the following message: 
Dropped files: '[windows_dir]\Anti_TeRRoRisM.exe' - worm binary '[windows_dir]\MixDaLaL.vbs' - HTML destroyer script '[system_dir]\DaLaL.vbs' - first part of payload '[system_dir]\WaiL.vbs' - second part of payload Added registry keys: '[HKLM]\Software\Microsoft\Windows\CurrentVersion\run\ZaCker' '[HKLM]\Software\Microsoft\Windows\CurrentVersion\run\ALWaiL'
Dropped files: '[windows_dir]\Anti_TeRRoRisM.exe' - worm binary '[windows_dir]\MixDaLaL.vbs' - HTML destroyer script '[system_dir]\DaLaL.vbs' - first part of payload '[system_dir]\WaiL.vbs' - second part of payload Added registry keys: '[HKLM]\Software\Microsoft\Windows\CurrentVersion\run\ZaCker' '[HKLM]\Software\Microsoft\Windows\CurrentVersion\run\ALWaiL'| Variant: | Vote.A |
Apparently this simple virus is written by a teenager. The original Vote was found on the 24th of September, 2001 - 13 days after the WTC tragedy. Binary part The worm uses standard Windows Mail API to access the user's address book. This affects users of MAPI compatible e-mail clients, mainly Microsoft Outlook. The e-mails sent by the worm look like this: From: name-of-the-infected-user To: random-name-from-address-book Subject: Fwd:Peace BeTween AmeriCa and IsLaM ! Hi iS iT waR Against AmeriCa Or IsLaM !? Let's Vote To Live in Peace! Attachment: WTC.exe 
The following files are deleted from the hard drive: 'C:\Program Files\AntiViral Toolkit Pro\*.*' 'C:\eSafe\Protect\*.*' 'C:\Program Files\Command Software\F-PROT95\*.*' 'C:\PC-Cillin 95\*.*' 'C:\PC-Cillin 97\*.*' 'C:\Program Files\Quick Heal\*.*' 'C:\Program Files\FWIN32\*.*' 'C:\Program Files\FindVirus\*.*' 'C:\Toolkit\FindVirus\*.*' 'C:\f-macro\*.*' 'C:\Program Files\McAfee\VirusScan95\*.*' 'C:\Program Files\Norton AntiVirus\*.*' 'C:\TBAVW95\*.*' 'C:\VS95\*.*' This way it tries to disable several anti-virus programs. Trojan installation The worm opens up two Internet Explorer windows. One is a faked voting booth. The other one tries to download a trojan called Barrio 5.0. The Internet Explorer start page is set to this one. Barrio trojan is mainly designed for collecting and sending passwords from the victim machine. It can collect dial-up passwords, ICQ UIN and password, etc. and send them to a pre-defined e-mail address. Script components '[windows_dir]\MixDaLaL.vbs' is a Visual Basic Script that searches trough all the available fixed and network drives for .HTM and .HTML files. The content of all these files is replaced with this text: 'AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You .' 'ZaCker.vbs' is dropped to the windows system directory and added to the registry as '[HKLM]\Software\Microsoft\Windows\CurrentVersion\run\Norton.Thar' so it will be started after the next reboot. ZaCker.vbs first deletes all files from Windows folder then displays a message: 
After this it modifies the autoexec.bat so that it would format c: drive after the next reboot. This part of the script is broken so autoexec.bat will be empty. It tries to reboot the system that will not happen since the program called for reboot was just deleted. Dropped files: '[windows_dir]\WTC.exe' - worm binary '[windows_dir]\MixDaLaL.vbs' - HTML destroyer script '[system_dir]\ZaCker.vbs' - payload (disk eraser) Added registry key: '[HKLM]\Software\Microsoft\Windows\CurrentVersion\run\Norton.Thar'
The following files are deleted from the hard drive: 'C:\Program Files\AntiViral Toolkit Pro\*.*' 'C:\eSafe\Protect\*.*' 'C:\Program Files\Command Software\F-PROT95\*.*' 'C:\PC-Cillin 95\*.*' 'C:\PC-Cillin 97\*.*' 'C:\Program Files\Quick Heal\*.*' 'C:\Program Files\FWIN32\*.*' 'C:\Program Files\FindVirus\*.*' 'C:\Toolkit\FindVirus\*.*' 'C:\f-macro\*.*' 'C:\Program Files\McAfee\VirusScan95\*.*' 'C:\Program Files\Norton AntiVirus\*.*' 'C:\TBAVW95\*.*' 'C:\VS95\*.*' This way it tries to disable several anti-virus programs. Trojan installation The worm opens up two Internet Explorer windows. One is a faked voting booth. The other one tries to download a trojan called Barrio 5.0. The Internet Explorer start page is set to this one. Barrio trojan is mainly designed for collecting and sending passwords from the victim machine. It can collect dial-up passwords, ICQ UIN and password, etc. and send them to a pre-defined e-mail address. Script components '[windows_dir]\MixDaLaL.vbs' is a Visual Basic Script that searches trough all the available fixed and network drives for .HTM and .HTML files. The content of all these files is replaced with this text: 'AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You .' 'ZaCker.vbs' is dropped to the windows system directory and added to the registry as '[HKLM]\Software\Microsoft\Windows\CurrentVersion\run\Norton.Thar' so it will be started after the next reboot. ZaCker.vbs first deletes all files from Windows folder then displays a message: After this it modifies the autoexec.bat so that it would format c: drive after the next reboot. This part of the script is broken so autoexec.bat will be empty. It tries to reboot the system that will not happen since the program called for reboot was just deleted. Dropped files: '[windows_dir]\WTC.exe' - worm binary '[windows_dir]\MixDaLaL.vbs' - HTML destroyer script '[system_dir]\ZaCker.vbs' - payload (disk eraser) Added registry key: '[HKLM]\Software\Microsoft\Windows\CurrentVersion\run\Norton.Thar'| Variant: | Vote.C |
This variant is a combination of the original version and Vote.b. The functionality is the same as Vote.B (including the VBS files) but the e-mail message is the same as the original Vote. Dropped files: '[windows_dir]\WTC.exe' - worm binary '[windows_dir]\MixDaLaL.vbs' - HTML destroyer script '[system_dir]\DaLaL.vbs' - first part of payload '[system_dir]\WaiL.vbs' - second part of payload Added registry keys: '[HKLM]\Software\Microsoft\Windows\CurrentVersion\run\ZACker' '[HKLM]\Software\Microsoft\Windows\CurrentVersion\run\ALWaiL' Removal instructions for all the variants If the worm was activated once the system must not be restarted before the system is cleaned up properly otherwise the payload will be triggered. All the dropped files and added registry keys must be removed. In the case of the original Vote the affected application (that Vote tries to remove) must be reinstalled. All the destroyed .HTML and .HTM file must be restored from backup files. F-Secure Anti-Virus can detect all the components of Vote.A, Vote.B and Vote.C as well as the backdoor they try to download.