Skip to main content

Voltan

Classification

Category:Malware
Type:Worm
Platform:W32
Aliases:

Voltan, W32/Voltan.A@mm, I-Worm.Voltan, Marque, Voltan.A

Summary

Voltan is a mass mailing worm that was found late evening on October 24th, 2003.

The worm arrives in emails which contain a link to a web page from where a file could be downloaded. The emails contain text in Italian.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The mass-mailing routine of Voltan does not send the worm in the email. It sends a link to a website which first displays a message:

 Il momento - catartico... per parafrasare un noto comico di ZELIG !!! [The moment is cathartic... to paraphrase a famous comedian from ZELIG !!!]

then offers a file named 'zelig.scr' for download. 'zelig.scr' is to body of the worm.

When the file is opened it opens a webpage in the default browser with the following content:

 Congratulazioni ! Il "CATARTICO" screen saver - stato installato con successo . [Congratulations ! The CATHARTIC screen saver has been successfully installed]

It creates a value in the registry as

 'HKLM\Control Panel\Screen Saver.Marquee\text'

with the text:

 A volte ti sento cos? vicina...A volte ti sento cos? lontana ...Certo che hai proprio un cellulare di m**da! [Sometimes I can feel you so close...Sometimes I feel you so distant ...You sure have a sh*tty cell phone!]

To send emails Voltan first locates the Windows Address Book and reads the list of contacts from there. Using its own SMTP engine it sends the following emails to the contacts:

 From: user@of.infected.computer To: friend@of.the.user.of.the.infected.computer Subject: Il momento e' catartico [The moment is cathartic] Body: Ricevo e cortesemente inoltro,.... un premio per la genialita hanno reso mitico un salva schermo scaricalo, "poesie catartiche", che non sai cosa ti perdi ciao [I received this and I'm forwarding it,... an award to genius they made this great a screen-saver download it, "cathartic poems", you don't know what you're missing]

If the worm can not find the email address of the user of the infected computer it uses a hardcoded address instead.

Voltan uses system DLLs which are not available on some systems. The worm does not work on Windows 95/98/ME and Windows NT4.

Translations:Fabrizio Cassoni

More Support

Community

Ask questions in our Community.

User guides

Check the user guide for instructions.

Contact Support

Chat with with or call an agent.

Submit a Sample

Submit a file or URL for analysis.