Voltan is a mass mailing worm that was found late evening on October 24th, 2003.
The worm arrives in emails which contain a link to a web page from where a file could be downloaded. The emails contain text in Italian.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The mass-mailing routine of Voltan does not send the worm in the email. It sends a link to a website which first displays a message:
Il momento - catartico... per parafrasare un noto comico di ZELIG !!! [The moment is cathartic... to paraphrase a famous comedian from ZELIG !!!]
then offers a file named 'zelig.scr' for download. 'zelig.scr' is to body of the worm.
When the file is opened it opens a webpage in the default browser with the following content:
Congratulazioni ! Il "CATARTICO" screen saver - stato installato con successo . [Congratulations ! The CATHARTIC screen saver has been successfully installed]
It creates a value in the registry as
'HKLM\Control Panel\Screen Saver.Marquee\text'
with the text:
A volte ti sento cos? vicina...A volte ti sento cos? lontana ...Certo che hai proprio un cellulare di m**da! [Sometimes I can feel you so close...Sometimes I feel you so distant ...You sure have a sh*tty cell phone!]
To send emails Voltan first locates the Windows Address Book and reads the list of contacts from there. Using its own SMTP engine it sends the following emails to the contacts:
From: firstname.lastname@example.org To: email@example.com Subject: Il momento e' catartico [The moment is cathartic] Body: Ricevo e cortesemente inoltro,.... un premio per la genialita hanno reso mitico un salva schermo scaricalo, "poesie catartiche", che non sai cosa ti perdi ciao [I received this and I'm forwarding it,... an award to genius they made this great a screen-saver download it, "cathartic poems", you don't know what you're missing]
If the worm can not find the email address of the user of the infected computer it uses a hardcoded address instead.
Voltan uses system DLLs which are not available on some systems. The worm does not work on Windows 95/98/ME and Windows NT4.
Ask questions in our Community .
Check the user guide for instructions.
Submit a Sample
Submit a file or URL for analysis.