Threat Description

Vote.K

Details

Category: Malware
Type: Worm
Platform: W32
Aliases: Vote.K, W32.Vote.K@mm, W32/Vote.K, I-Worm.Vote.K

Summary


For information on previous Vote worm variants see the following page: https://www.europe.f-secure.com/v-descs/vote.shtml

Vote.K worm appeared in September 2003. It is an e-mail, IRC and P2P worm with a very destructive payload. The worm has a lot of bugs and many of its features don't work.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


When run, the worm does the following:

1. Creates a startup key in the Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  "W32Tc" = "c:\Windows\WTC32.scr"   

2. Changes Internet Explorer startup page to:

c:\Windows\WTC32.scr   

3. Creates the 'Microsoft NT Help.html' in the root of C: drive and writes HTML code there. If this file is opened with a web browser, the following text will be seen:

Welcome... Click here to start   

The 'here' is a hyperlink pointing to C:\NT-Help.com file. However the worm failed to create such a file during our tests.

4. Replaces SCRIPT.INI file in mIRC client folder with a script that can send the 'c:\Op_Me.co_' file to all channel members with one of the following texts:

Hello.. Do you wanna be an operator of this channel?  Here's a software from mIRCx.. First, you'll have to convert it  to a .com file then walk it and become a channel operator  instantly...   Be a channel operator using this software from mIRCx...  First, you'll have to convert it to a .com file then walk it and  become a channel operator instantly...   

The worm did not create the 'Op_Me.co_' file during our tests.

5. Displays a messagebox:

WORLD TRADE CENTER   WE WILL ALWAYS REMEMBER THOSE LOST SOULS...   

Then it can display a messagebox with an insulting content.

6. Creates and runs the PICT232.REG file that changes Kazaa peer-to-peer client's shared folder to 'C:\Windows\Systm32'. The worm creates this folder but fails to save any files there. By design it should have saved there the following files:

18_Britney_Sucking_Sex_  Teen_Pussy_Hardcore_Sex_  XXX_Christina_Celebrities_Pamela_Sex_Screensaver_  XXX_Teens_Hot_Gauge_Aria_Jennifer_Sex_Screensaver_  F*cking_Hot_Horny_Screensaver_  Orgy_Incest_Illegal_Sex_   

These files would have had the following extensions:

.jpg.scr  .mpg.scr  .avi.scr   

7. Tries to create the following files with its code:

c:\Windows\WTC32.scr  c:\Autorun.com  c:\NT-Help.com  c:\Op_Me.co_  C:\Documents and Settings\All Users\Desktop\Welcome.scr   

However we did not observe creation of these files on our test system.

8. Creates c:\WTC32.DLL file that contains the following text:

 Users In Harmony With God !   

where <number> is a number of infected e-mails that the worm sent.

10. Sometimes the worm offers to play 'Guess a number' game by displaying the following message:

GUESS A NUMBER From 1 to 50   

11. Attempts to send itself in e-mail. We observed the worm sending the following e-mails:

Subject:

.   THE WAR HAS STARTED !   

where <text> can be one of the following:

LET US UNITE  WORLD TRADE CENTER, REVENGE !  NOW OUR MISSION: DEATH ?  THE WORLD WAR THREE IS HERE !  REMEMBER OUR LOST SOULS !  WORLD WAR SCENES FROM IRAQ !   

Body:

, THE WAR IS NOT A JOKE !... THERE IS ONE BUILDING UP RIGHT NOW  Let's Unite In This Horrible Kaos. Jill Fifth... Fight For Us....!!!  ...And Let Us Remember Those Lost Souls !  WE COUNT ON YOU !   Greetings,  World War Veterans.   

where <recipient_name> is the name of a recipient of the worm's message.

Attachment:

WTC32.DLL   

This file contains the following text:

 Users In Harmony With God !   

where <number> is a number of infected e-mails that the worm sent.

We did not observe the worm attaching itself to the messages it was sending but if it would attach itself, it would use WTC32.SCR file.

Payload

The worm has a dangerous payload. It is activated after the worm's attempt to spread itself in e-mail. When the payload is activated, the worm does the following:

1. Changes the Registered Owner and Organization information of an infected computer to:

YOU ARE A VICTIM OF THE  WORLD TRADE CENTER   

2. Changes the Product Name (Windows name) to:

w32.hllw.I-Worm.WTC.03  

3. Overwrites all EXE, COM and SCR files on entire hard disk with its body.

4. Creates HTML 'shadow' files for every AI, PSD, TXT, PIF, DOC and RTF file. The 'shadow' file will have the name and extension of the original file plus HTML extension, for example FILE.DOC.HTML. If these files are opened with a web browser, the following text will be seen:

Welcome... Click here to start   

The 'here' is a hyperlink pointing to 'C:\NT-Help.com' file. However the worm failed to create such a file during our tests.

5. Shows messageboxes with insulting messages.

6. Drops a batch file AutoStart.bat which is detected by F-Secure Anti Virus as I-Worm.BWG.a.

It saves itself using different file names and replaces files used by a system with its own. It creates copy of itself in files such as:

AutoStart.bat  cniad.bat  NTFS.bat  pbbgt.bat  funny.bat  Haha.bat  WINI.bat  bzoyw.bat  wygoa.bat   

The batch file creates a folder named suPs and copy itself as yyybp.bat file there. It assigns the suPs folder as drive L:.

It also replaces WIN.INI and SYSTEM.INI files with its own, that start a copy of the batch file during Windows bootup.

It also drops WTC.TXT file into the root of C:\ drive. This file contains the following text:

You Are A Victim Of The WTC Worm !   

Finally the code in the batch file tries to send the following message over the network:

I Am A Victim Of The WTC Worm !   

7. Can delete all DLL and OCX files from 'C:\Windows\System32'

Folder

8. Can delete all SYS files from 'C:\Windows' folder

9. Can deletes all files from root of C: drive

10. Deletes all WAV, MP3, JPG, BMP, ZIP, RAR and MPG files and creates files with the same names and extension plus EXE extension, for example FILE.MPG.EXE. These new files contain the worm's copy.

11. Changes default user's logon password to 'world'

12. Changes default user's screensaver password to '1'

13. Changes a few settings of Internet Explorer to disable certain features like showing Internet and Control Panel icons.

14. Changes the default network logon name to 'I-WORM-WTC'

15. The worm drops and runs AR.VBS file in 'C:\Windows\Temp' folder. The VBS is designed to changes the Registry to run itself during next system restart. Depending on the system date (even number) another payload should be activated, but this never happens because of a bug in the script.

After the payload is activated a system becomes unusable because the worm overwrote most of executable files.



Detection


F-Secure Anti-Virus detects the worm, the batch virus and the dropped Visual Basic Script with earlier updates using generic detection. Exact detection of Vote.K and its components was added in the following updates:
Database: 2003-09-10_03



Technical Details:Alexey Podrezov, Katrin Tocheva; 10th of September, 2003


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More