Threat Description

Vote.K

Details

Aliases: Vote.K, W32.Vote.K@mm, W32/Vote.K, I-Worm.Vote.K
Category: Malware
Type: Worm
Platform: W32

Summary



For information on previous Vote worm variants see the following page: http://www.europe.f-secure.com/v-descs/vote.shtml

Vote.K worm appeared in September 2003. It is an e-mail, IRC and P2P worm with a very destructive payload. The worm has a lot of bugs and many of its features don't work.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



When run, the worm does the following:

1. Creates a startup key in the Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "W32Tc" = "c:\Windows\WTC32.scr"


2. Changes Internet Explorer startup page to:

c:\Windows\WTC32.scr


3. Creates the 'Microsoft NT Help.html' in the root of C: drive and writes HTML code there. If this file is opened with a web browser, the following text will be seen:

Welcome... Click here to start


The 'here' is a hyperlink pointing to C:\NT-Help.com file. However the worm failed to create such a file during our tests.

4. Replaces SCRIPT.INI file in mIRC client folder with a script that can send the 'c:\Op_Me.co_' file to all channel members with one of the following texts:

Hello.. Do you wanna be an operator of this channel?
 Here's a software from mIRCx.. First, you'll have to convert it
 to a .com file then walk it and become a channel operator
 instantly...

 Be a channel operator using this software from mIRCx...
 First, you'll have to convert it to a .com file then walk it and
 become a channel operator instantly...


The worm did not create the 'Op_Me.co_' file during our tests.

5. Displays a messagebox:

WORLD TRADE CENTER

 WE WILL ALWAYS REMEMBER THOSE LOST SOULS...


Then it can display a messagebox with an insulting content.

6. Creates and runs the PICT232.REG file that changes Kazaa peer-to-peer client's shared folder to 'C:\Windows\Systm32'. The worm creates this folder but fails to save any files there. By design it should have saved there the following files:

18_Britney_Sucking_Sex_
 Teen_Pussy_Hardcore_Sex_
 XXX_Christina_Celebrities_Pamela_Sex_Screensaver_
 XXX_Teens_Hot_Gauge_Aria_Jennifer_Sex_Screensaver_
 F*cking_Hot_Horny_Screensaver_
 Orgy_Incest_Illegal_Sex_


These files would have had the following extensions:

.jpg.scr
 .mpg.scr
 .avi.scr


7. Tries to create the following files with its code:

c:\Windows\WTC32.scr
 c:\Autorun.com
 c:\NT-Help.com
 c:\Op_Me.co_
 C:\Documents and Settings\All Users\Desktop\Welcome.scr


However we did not observe creation of these files on our test system.

8. Creates c:\WTC32.DLL file that contains the following text:

<number> Users In Harmony With God !


where &lt;number&gt; is a number of infected e-mails that the worm sent.

10. Sometimes the worm offers to play 'Guess a number' game by displaying the following message:

GUESS A NUMBER From 1 to 50


11. Attempts to send itself in e-mail. We observed the worm sending the following e-mails:

Subject:

<recipient_name>.  <text> THE WAR HAS STARTED !


where &lt;text&gt; can be one of the following:

LET US UNITE
 WORLD TRADE CENTER, REVENGE !
 NOW OUR MISSION: DEATH ?
 THE WORLD WAR THREE IS HERE !
 REMEMBER OUR LOST SOULS !
 WORLD WAR SCENES FROM IRAQ !


Body:

<recipient_name>, THE WAR IS NOT A JOKE !... THERE IS ONE BUILDING UP RIGHT NOW
 Let's Unite In This Horrible Kaos. Jill Fifth... Fight For Us....!!!
 ...And Let Us Remember Those Lost Souls !  WE COUNT ON YOU ! <recipient_name>
 Greetings,
 World War Veterans.


where &lt;recipient_name&gt; is the name of a recipient of the worm's message.

Attachment:

WTC32.DLL


This file contains the following text:

<number> Users In Harmony With God !


where &lt;number&gt; is a number of infected e-mails that the worm sent.

We did not observe the worm attaching itself to the messages it was sending but if it would attach itself, it would use WTC32.SCR file.

Payload

The worm has a dangerous payload. It is activated after the worm's attempt to spread itself in e-mail. When the payload is activated, the worm does the following:

1. Changes the Registered Owner and Organization information of an infected computer to:

YOU ARE A VICTIM OF THE
 WORLD TRADE CENTER


2. Changes the Product Name (Windows name) to:

w32.hllw.I-Worm.WTC.03 

3. Overwrites all EXE, COM and SCR files on entire hard disk with its body.

4. Creates HTML 'shadow' files for every AI, PSD, TXT, PIF, DOC and RTF file. The 'shadow' file will have the name and extension of the original file plus HTML extension, for example FILE.DOC.HTML. If these files are opened with a web browser, the following text will be seen:

Welcome... Click here to start


The 'here' is a hyperlink pointing to 'C:\NT-Help.com' file. However the worm failed to create such a file during our tests.

5. Shows messageboxes with insulting messages.

6. Drops a batch file AutoStart.bat which is detected by F-Secure Anti Virus as I-Worm.BWG.a.

It saves itself using different file names and replaces files used by a system with its own. It creates copy of itself in files such as:

AutoStart.bat
 cniad.bat
 NTFS.bat
 pbbgt.bat
 funny.bat
 Haha.bat
 WINI.bat
 bzoyw.bat
 wygoa.bat


The batch file creates a folder named suPs and copy itself as yyybp.bat file there. It assigns the suPs folder as drive L:.

It also replaces WIN.INI and SYSTEM.INI files with its own, that start a copy of the batch file during Windows bootup.

It also drops WTC.TXT file into the root of C:\ drive. This file contains the following text:

You Are A Victim Of The WTC Worm !


Finally the code in the batch file tries to send the following message over the network:

I Am A Victim Of The WTC Worm !


7. Can delete all DLL and OCX files from 'C:\Windows\System32'

Folder

8. Can delete all SYS files from 'C:\Windows' folder

9. Can deletes all files from root of C: drive

10. Deletes all WAV, MP3, JPG, BMP, ZIP, RAR and MPG files and creates files with the same names and extension plus EXE extension, for example FILE.MPG.EXE. These new files contain the worm's copy.

11. Changes default user's logon password to 'world'

12. Changes default user's screensaver password to '1'

13. Changes a few settings of Internet Explorer to disable certain features like showing Internet and Control Panel icons.

14. Changes the default network logon name to 'I-WORM-WTC'

15. The worm drops and runs AR.VBS file in 'C:\Windows\Temp' folder. The VBS is designed to changes the Registry to run itself during next system restart. Depending on the system date (even number) another payload should be activated, but this never happens because of a bug in the script.

After the payload is activated a system becomes unusable because the worm overwrote most of executable files.



Detection


F-Secure Anti-Virus detects the worm, the batch virus and the dropped Visual Basic Script with earlier updates using generic detection. Exact detection of Vote.K and its components was added in the following updates:
Database: 2003-09-10_03



Technical Details: Alexey Podrezov, Katrin Tocheva; 10th of September, 2003


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Disinfect your PC

F-Secure Anti-Virus will disinfect your PC and remove all harmful files

Learn More