F-Secure Virus Descriptions : Vote
Vote is an email worm written in Visual Basic. It uses the WTC tragedy
as a ploy to get people to execute it.
Update on March 24th 2003
A new variant of Vote virus Vote.D was found. It disguises
itself as WTC pictures, trying to remind and frighten about the
WTC tragedy.
For more information see Vote.D description at the end of this page.
Apparently this simple virus is written by a teenager.
The original Vote was found on the 24th of September, 2001 - 13 days
after the WTC tragedy.
Binary part
The worm uses standard Windows Mail API to access the user's
address book. This affects users of MAPI compatible e-mail clients,
mainly Microsoft Outlook.
The e-mails sent by the worm look like this:
From: name-of-the-infected-user
To: random-name-from-address-book
Subject: Fwd:Peace BeTween AmeriCa and IsLaM !
Hi
iS iT waR Against AmeriCa Or IsLaM !?
Let's Vote To Live in Peace!
Attachment: WTC.exe
The following files are deleted from the hard drive:
'C:\Program Files\AntiViral Toolkit Pro\*.*'
'C:\eSafe\Protect\*.*'
'C:\Program Files\Command Software\F-PROT95\*.*'
'C:\PC-Cillin 95\*.*'
'C:\PC-Cillin 97\*.*'
'C:\Program Files\Quick Heal\*.*'
'C:\Program Files\FWIN32\*.*'
'C:\Program Files\FindVirus\*.*'
'C:\Toolkit\FindVirus\*.*'
'C:\f-macro\*.*'
'C:\Program Files\McAfee\VirusScan95\*.*'
'C:\Program Files\Norton AntiVirus\*.*'
'C:\TBAVW95\*.*'
'C:\VS95\*.*'
This way it tries to disable several anti-virus programs.
Trojan installation
The worm opens up two Internet Explorer windows. One is a faked voting
booth. The other one tries to download a trojan called Barrio 5.0.
The Internet Explorer start page is set to this one.
Barrio trojan is mainly designed for collecting and sending passwords
from the victim machine. It can collect dial-up passwords, ICQ UIN and
password, etc. and send them to a pre-defined e-mail address.
Script components
'[windows_dir]\MixDaLaL.vbs' is a Visual Basic Script that searches
trough all the available fixed and network drives for .HTM and .HTML
files. The content of all these files is replaced with this text:
'AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>>
ZaCkEr is So Sorry For You .'
'ZaCker.vbs' is dropped to the windows system directory and added
to the registry as
'[HKLM]\Software\Microsoft\Windows\CurrentVersion\run\Norton.Thar'
so it will be started after the next reboot.
ZaCker.vbs first deletes all files from Windows folder then
displays a message:
After this it modifies the autoexec.bat so that it would format c:
drive after the next reboot. This part of the script is broken
so autoexec.bat will be empty. It tries to reboot the system
that will not happen since the program called for reboot was just
deleted.
Dropped files:
'[windows_dir]\WTC.exe' - worm binary
'[windows_dir]\MixDaLaL.vbs' - HTML destroyer script
'[system_dir]\ZaCker.vbs' - payload (disk eraser)
Added registry key:
'[HKLM]\Software\Microsoft\Windows\CurrentVersion\run\Norton.Thar'
This variant has quite significant differences from the original
version but the basic code is the same. Vote.b does not try to
remove any anti-virus program as the original version did.
The messages sent by this one look like this:
From: name-of-the-infected-user
To: random-name-from-address-book
Subject: Fwd: This War Must Be Done !
Hi
We Must Fight , We Must ReMemBer Our Victims!
Attachment: WTC.exe
The payload routine was split to two parts. The first one tries
to modify autoexec.bat and registers the second part. Autoexec.bat
modification fortunately still does not work.
The second part of the script is the one that deletes all the
files from Windows folder then displays the following message:
Dropped files:
'[windows_dir]\Anti_TeRRoRisM.exe' - worm binary
'[windows_dir]\MixDaLaL.vbs' - HTML destroyer script
'[system_dir]\DaLaL.vbs' - first part of payload
'[system_dir]\WaiL.vbs' - second part of payload
Added registry keys:
'[HKLM]\Software\Microsoft\Windows\CurrentVersion\run\ZaCker'
'[HKLM]\Software\Microsoft\Windows\CurrentVersion\run\ALWaiL'
This variant is a combination of the original version and
Vote.b. The functionality is the same as Vote.B (including
the VBS files) but the e-mail message is the same as the
original Vote.
Dropped files:
'[windows_dir]\WTC.exe' - worm binary
'[windows_dir]\MixDaLaL.vbs' - HTML destroyer script
'[system_dir]\DaLaL.vbs' - first part of payload
'[system_dir]\WaiL.vbs' - second part of payload
Added registry keys:
'[HKLM]\Software\Microsoft\Windows\CurrentVersion\run\ZACker'
'[HKLM]\Software\Microsoft\Windows\CurrentVersion\run\ALWaiL'
Removal instructions for all the variants
If the worm was activated once the system must not be restarted
before the system is cleaned up properly otherwise the payload
will be triggered.
All the dropped files and added registry keys must be removed.
In the case of the original Vote the affected application (that
Vote tries to remove) must be reinstalled.
All the destroyed .HTML and .HTM file must be restored from backup
files.
F-Secure Anti-Virus can detect all the components of Vote.A,
Vote.B and Vote.C as well as the backdoor they try to download.
Vote.D is an e-mail worm written in Visual Basic. It spreads to
all recipients found in Outlook Address Book. The sent e-mail
messages look as follows:
Subject: <name> WORLD TRADE CENTER PICTURES
Body: <name> Remember The Times.......MAYBE THEY WILL BE BACK....!!!
Attachment: WTC32.scr
Where <name> is the recipient's name. The attachment is always
WTC32.scr. It is a PE executable 61440 bytes long.
When a user runs the infected attachment, the worm copies itself
to system with the following names:
c:\windows\notepad.exe
c:\Windows\WTC32.scr
c:\Autorun.com
Since the path "c:\Windows\" is hard-coded, Vote.D won't work if
Windows is installed in a folder different from "c:\windows".
After copying its files to a hard disk the worm creates a startup
key for one of its files in the Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\W32Tc]
@ = "c:\Windows\WTC32.scr"
Additionally the worm changes the startup page of Internet
Explorer to point to the worm's file "c:\Windows\WTC32.scr".
After the mass mailing, the worm displays one or more
messageboxes with different messages, for example:
WORLD TRADE CENTER
WE WILL ALWAYS REMEMBER THOSE LOST SOULS...
Some of these messages are very insulting and contain bad language.
Payload
The worm has a dangerous payload. It does the following:
1. Deletes all DLL files in C:\Windows\System32\ folder.
2. Locates files with the following extensions: .wav .mp3 .jpg
.bmp .zip .rar .doc and writes itself with the name of those
files and additional .exe extension. The original files are
deleted.
3. Overwrites all .exe and .scr files with its body.
Vote.D worm changes the Registered Owner and Registered
Organization settings of Windows to:
YOU ARE A VICTIM OF THE
WORLD TRADE CENTER
The worm changes the Product Name setting of Windows to:
w32.hllp.I-Worm.WTC.03
Vote.D can create a lot of its copies with randomly-generated
names in c:\Windows\Systm32\BkUp folder.
The worm can play the "GUESS A NUMBER" game with a user of an
infected computer. It asks: "GUESS A NUMBER From 1 to 50" and
waits for the answer. If the answer is right, the worm displays
"Alright!", otherwise it displays "Sorry !".
F-Secure Anti-Virus detects Vote.D worm as I-Worm.generic
[Analysis: Katrin Tocheva, Gergely Erdelyi, Alexey Podrezov, Mikko Hypponen; F-Secure Corp.,
September 25th 2001 - March 24th, 2003]
|
