Classification

Category: Malware

Type: Worm

Aliases: Vote.K, W32.Vote.K@mm, W32/Vote.K, I-Worm.Vote.K

Summary


For information on previous Vote worm variants see the following page: https://www.europe.f-secure.com/v-descs/vote.shtml

Vote.K worm appeared in September 2003. It is an email, IRC and P2P worm with a very destructive payload. The worm has a lot of bugs and many of its features don't work.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


When run, the worm does the following:

1. Creates a startup key in the Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"W32Tc" = "c:\Windows\WTC32.scr"
 

2. Changes Internet Explorer startup page to:

c:\Windows\WTC32.scr
 

3. Creates the 'Microsoft NT Help.html' in the root of C: drive and writes HTML code there. If this file is opened with a web browser, the following text will be seen:

Welcome... Click here to start
 

The 'here' is a hyperlink pointing to C:\NT-Help.com file. However the worm failed to create such a file during our tests.

4. Replaces SCRIPT.INI file in mIRC client folder with a script that can send the 'c:\Op_Me.co_' file to all channel members with one of the following texts:

Hello.. Do you wanna be an operator of this channel?
Here's a software from mIRCx.. First, you'll have to convert it
to a .com file then walk it and become a channel operator
instantly...
 Be a channel operator using this software from mIRCx...
First, you'll have to convert it to a .com file then walk it and
become a channel operator instantly...
 

The worm did not create the 'Op_Me.co_' file during our tests.

5. Displays a messagebox:

WORLD TRADE CENTER
 WE WILL ALWAYS REMEMBER THOSE LOST SOULS...
 

Then it can display a messagebox with an insulting content.

6. Creates and runs the PICT232.REG file that changes Kazaa peer-to-peer client's shared folder to 'C:\Windows\Systm32'. The worm creates this folder but fails to save any files there. By design it should have saved there the following files:

18_Britney_Sucking_Sex_
Teen_Pussy_Hardcore_Sex_
XXX_Christina_Celebrities_Pamela_Sex_Screensaver_
XXX_Teens_Hot_Gauge_Aria_Jennifer_Sex_Screensaver_
F*cking_Hot_Horny_Screensaver_
Orgy_Incest_Illegal_Sex_
 

These files would have had the following extensions:

.jpg.scr
.mpg.scr
.avi.scr
 

7. Tries to create the following files with its code:

c:\Windows\WTC32.scr
c:\Autorun.com
c:\NT-Help.com
c:\Op_Me.co_
C:\Documents and Settings\All Users\Desktop\Welcome.scr
 

However we did not observe creation of these files on our test system.

8. Creates c:\WTC32.DLL file that contains the following text:

 Users In Harmony With God !
 

where <number> is a number of infected emails that the worm sent.

10. Sometimes the worm offers to play 'Guess a number' game by displaying the following message:

GUESS A NUMBER From 1 to 50
 

11. Attempts to send itself in email. We observed the worm sending the following emails:

Subject:

.   THE WAR HAS STARTED !   

where <text> can be one of the following:

.
 THE WAR HAS STARTED !
 

Body:

, THE WAR IS NOT A JOKE !... THERE IS ONE BUILDING UP RIGHT NOW  Let's Unite In This Horrible Kaos. Jill Fifth... Fight For Us....!!!  ...And Let Us Remember Those Lost Souls !  WE COUNT ON YOU !   Greetings,  World War Veterans.   

where <recipient_name> is the name of a recipient of the worm's message.

Attachment:

.
 THE WAR HAS STARTED !
 

This file contains the following text:

.
 THE WAR HAS STARTED !
 

where <number> is a number of infected emails that the worm sent.

We did not observe the worm attaching itself to the messages it was sending but if it would attach itself, it would use WTC32.SCR file.

Payload

The worm has a dangerous payload. It is activated after the worm's attempt to spread itself in email. When the payload is activated, the worm does the following:

1. Changes the Registered Owner and Organization information of an infected computer to:

.
 THE WAR HAS STARTED !
 

2. Changes the Product Name (Windows name) to:

.
 THE WAR HAS STARTED !
 

3. Overwrites all EXE, COM and SCR files on entire hard disk with its body.

4. Creates HTML 'shadow' files for every AI, PSD, TXT, PIF, DOC and RTF file. The 'shadow' file will have the name and extension of the original file plus HTML extension, for example FILE.DOC.HTML. If these files are opened with a web browser, the following text will be seen:

.
 THE WAR HAS STARTED !
 

The 'here' is a hyperlink pointing to 'C:\NT-Help.com' file. However the worm failed to create such a file during our tests.

5. Shows messageboxes with insulting messages.

6. Drops a batch file AutoStart.bat which is detected by F-Secure Anti Virus as I-Worm.BWG.a.

It saves itself using different file names and replaces files used by a system with its own. It creates copy of itself in files such as:

.
 THE WAR HAS STARTED !
 

The batch file creates a folder named suPs and copy itself as yyybp.bat file there. It assigns the suPs folder as drive L:.

It also replaces WIN.INI and SYSTEM.INI files with its own, that start a copy of the batch file during Windows bootup.

It also drops WTC.TXT file into the root of C:\ drive. This file contains the following text:

.
 THE WAR HAS STARTED !
 

Finally the code in the batch file tries to send the following message over the network:

.
 THE WAR HAS STARTED !
 

7. Can delete all DLL and OCX files from 'C:\Windows\System32'

Folder

8. Can delete all SYS files from 'C:\Windows' folder

9. Can deletes all files from root of C: drive

10. Deletes all WAV, MP3, JPG, BMP, ZIP, RAR and MPG files and creates files with the same names and extension plus EXE extension, for example FILE.MPG.EXE. These new files contain the worm's copy.

11. Changes default user's logon password to 'world'

12. Changes default user's screensaver password to '1'

13. Changes a few settings of Internet Explorer to disable certain features like showing Internet and Control Panel icons.

14. Changes the default network logon name to 'I-WORM-WTC'

15. The worm drops and runs AR.VBS file in 'C:\Windows\Temp' folder. The VBS is designed to changes the Registry to run itself during next system restart. Depending on the system date (even number) another payload should be activated, but this never happens because of a bug in the script.

After the payload is activated a system becomes unusable because the worm overwrote most of executable files.