pl.net netnews: Vote 27/09/2001

Posted 27th September 2001

Vote Virus/Worm W32

Vote.B@mm is a mass-mailing worm that is written in Visual Basic. When it is executed, it emails itself to all email addresses in the Microsoft Outlook address book. The worm inserts three .vbs files on the system. It also modifies the Internet Explorer home page.

W32.Vote.B@mm is a variant of W32.Vote.A@mm. The main differences are as follows.

It inserts three VBS scripts instead of two. The file name has been modified. The subject and message of the email have changed. Antivirus program files are not deleted.

NOTE: Some of the inserted files are the same as in W32.Vote.A@mm, so they will be detected as in W32.Vote.A@mm.

Type: Worm Infection Length: 56,832 bytes Virus Definitions: September 26, 2001

Comment

A NEW WORM that can delete files from infected hard drives is using the terrorist attacks of two weeks ago, as well as the expected U.S. military response, to trick users into executing it, according to Ian Hameroff, business manager for security solutions at Computer Associates International (CA). Exact details of how the worm works, however, are not yet clear as different security companies have different analyses.

The worm, dubbed "Vote" by CA due to its message, is a mass mailer that sends itself to e-mail addresses harvested from the Windows address book of infected systems, Hameroff said. Along with sending large amounts of e-mail, the worm also overwrites HTML files on the infected computer and can delete the system's Windows directory and reformat the hard drive when the machine is restarted, he said. Vote arrives in an in-box with the subject line "Peace between America and Islam," Hameroff said. The body text of the e-mail reads "Hi. Is it a war against America or Islam? Let's vote to live in peace." Included in the e-mail is an attached document called WTC.exe, Hameroff said. When the attachment is double-clicked, the computer is infected.

Once the infection has occurred, all HTML files on the system are changed to include the text, "America a few days we will show you what we can do. It's our turn. Zacker is sorry for you," Hameroff said. Additionally, Vote attempts to delete all the files in the system's Windows directory if the infected system is rebooted, he said. Anti-virus company Trend Micro has also seen the Vote worm, but has seen it act differently, according to a spokeswoman. Vote is a VBS (Visual Basic Script) that deletes some files used by anti-virus programs and changes the start-up page for Internet Explorer, according to Trend. Trend's details are still sketchy, although it also has found the feature of reformatting the hard drive on reboot, which it attributes to a modification of the Autoexec.bat file in DOS. Vote is seen as a low-risk worm by Network Associates -- which owns the McAfee group of anti-virus companies and products -- according to Vincent Gullotto, senior director of McAfee's AVERT labs. McAfee has only seen a handful of cases of the worm, all isolated to North America, he said. There have been no confirmed infections of the virus so far seen by McAfee, he added.

Vote is "clearly a message that's trying to prey on people," he said, adding that "it might have some success" given recent events and the possibility that users will confuse it with a benign PowerPoint presentation about New York that's making the rounds. Although McAfee products have been able to detect the worm via heuristics for a while, the company will also release an update to block it soon, he said.

When anti-virus programs are run in heuristics mode, they can block code that shares characteristics with malicious code, even if the anti-virus program does not have a specific definition for the code it's blocking. Whether the worm takes hold and infects many PCs will depend on home users, as corporate networks are likely well-protected against infection, he said.

Vote is not yet widespread, although it only began showing up Monday morning, CA's Hameroff said. Infections by the virus can be prevented if users do not open attachments or if companies filter .exe attachments so that they are not allowed into the corporate network. "If any company is allowing executable files past their servers and into their environment, this is a key time to re-evaluate that policy," Hameroff said.