Hoax of virus?

W32.Vote.A@mm
Discovered on: September 24, 2001   
Last Updated on: September 26, 2001 at 08:08:15 AM PDT  
Top of Form 1
 <./pf/w32.vote.a@mm.html>  <./pf/w32.vote.a@mm.html>Printer-friendly version    Tell a Friend    
Bottom of Form 1
W32.Vote.A@mm is a mass-mailing worm that is written in Visual Basic. When executed, it will email itself out to all email addresses in the Microsoft Outlook address book. The worm will insert two .vbs files on the system, and it will also attempt to delete files from several antivirus products. 
Type: Worm <http://www.symantec.com/avcenter/refa.html> 
Infection Length: <http://securityresponse.symantec.com/avcenter/refa.html> 55,808 Bytes 
Virus Definitions: <http://securityresponse.symantec.com/avcenter/refa.html> September 24, 2001 
Threat Assessment: <http://securityresponse.symantec.com/avcenter/refa.html> 
               

Wild <http://www.symantec.com/avcenter/refa.html>:  Low  Damage <http://www.symantec.com/avcenter/refa.html>:  High  Distribution <http://www.symantec.com/avcenter/refa.html>:  High    
 
Wild: <http://securityresponse.symantec.com/avcenter/refa.html> 
Number of infections: <http://securityresponse.symantec.com/avcenter/refa.html> 0 - 49 
Number of sites: <http://securityresponse.symantec.com/avcenter/refa.html> 3 - 9 
Geographical distribution: <http://securityresponse.symantec.com/avcenter/refa.html> Medium 
Threat containment: <http://securityresponse.symantec.com/avcenter/refa.html> Moderate 
Removal: <http://securityresponse.symantec.com/avcenter/refa.html> Moderate 
Damage: <http://securityresponse.symantec.com/avcenter/refa.html> 
Payload: <http://securityresponse.symantec.com/avcenter/refa.html> 
Large scale e-mailing: <http://securityresponse.symantec.com/avcenter/refa.html> Emails everyone in the Microsoft Outlook addressbook 
Deletes files: <http://securityresponse.symantec.com/avcenter/refa.html> After reboot, the worm attempts to delete all files in the Windows folder 
Modifies files: <http://securityresponse.symantec.com/avcenter/refa.html> All files with the extension "htm" or "html" will be overwritten. 
Compromises security settings: <http://securityresponse.symantec.com/avcenter/refa.html> If the Backdoor.Trojan was successfully downloaded and installed, anyone could gain full access to the computer. 
Distribution: <http://securityresponse.symantec.com/avcenter/refa.html> 
Subject of email: <http://securityresponse.symantec.com/avcenter/refa.html> Fwd:Peace BeTweeN AmeriCa and IsLaM! 
Name of attachment: <http://securityresponse.symantec.com/avcenter/refa.html> WTC.exe 
Size of attachment: <http://securityresponse.symantec.com/avcenter/refa.html> 55808 Bytes 
Technical description: <http://securityresponse.symantec.com/avcenter/refa.html> 
W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic language. It requires the file Msvbvm50.dll to execute.

When executed, the worm will attempt to email itself to all contacts in the Microsoft Outlook address book. The email will appear as follows.

Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM!

Message: 
Hi
iS iT A waR Against AmeriCa Or IsLaM !?
Let's Vote To Live in Peace!

Attachment: WTC.EXE

Next, the worm will insert two .vbs files on the system:
\%Windows%\MixDaLaL.vbs 
\%Windows\System%\ZaCker.vbs

NOTES: 
%Windows% is a variable. The worm locates the \Windows folder (by default this is C:\Windows or C:\Winnt) and copies itself to that location 
%Windows\System% is a variable. The worm locates the \Windows\System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location


In addition, the worm will attempt to download and execute a file. This file is detected as Backdoor.Trojan by Norton Antivirus.

Finally, the worm will attempt to delete all files from several folders. These folders appear to be the default installation folders for several antivirus products. For Norton AntiVirus, this worm will only attempt to delete the files if Norton Antivirus is located in C:\Program Files\Norton AntiVirus.

What the dropped files do

MixDaLaL.vbs
MixDaLaL.vbs is a Visual Basic Script file that is inserted in the \%Windows% folder. This file is executed by the worm. As the file is executed, it will look through all folders on all fixed drives and network drives for files with the extensions .htm or .html. If such a files are found, they are overwritten with the message:

AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You

ZaCker.VBS
This file is inserted as \%Windows\System%\ZaCker.vbs. It is not executed by the worm. Instead, the value

Norton.Thar \%Windows\System%\ZaCker.vbs

is added to the registry key

HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\Run

so that the file is executed when you start Windows.

When executed at the next restart, this file will attempt to delete all files in the \Windows folder. Next, the worm will create or overwrite the file C:\Autoexec.bat. Inside the file there will be a command that formats the C drive. The Autoexec.bat file is executed on Windows 95/98/Me and DOS systems when you start the computer.

Finally, the worm will displays the message

 

The worm does attempt to shut down Windows after the message has been displayed. However, because the files required for this event to occur have been deleted from the \Windows folder, the computer probably will not shut down.
Removal instructions: <http://securityresponse.symantec.com/avcenter/refa.html> 

To remove this worm, delete files that are detected as W32.Vote.A@mm and remove the value that it added to the registry.

To remove the worm: 
1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files <http://service1.symantec.com/SUPPORT/nav.nsf/docid/1999110513272906>.
3. Run a full system scan.
4. Delete all files that are detected as W32.Vote.A@mm. If the worm has run and Norton AntiVirus is installed in C:\Program Files\Norton AntiVirus, you should reinstall Norton Antivirus.
5. If the computer has been rebooted after the infection, or if the computer seems very unstable, it is recommended that you reinstall the operating system.

To edit the registry:

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry <http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617> before you proceed. This document is available from the Symantec Fax-on-Demand system. In the U.S. and Canada, call (541) 984-2490, select option 2, and then request document 927002.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\Run

4. In the right pane, delete the following value:

Norton.Thar \%Windows\System%\ZaCker.vbs

5. Click Registry, and then click Exit


Additional information: 

If the Backdoor.Trojan was successfully installed on the computer, it is possible that your system has been accessed remotely by an unauthorized user. For this reason it is impossible to guarantee the integrity of a system that has had such an infection. The remote user could have made changes to your system, including but not limited to the following:
Stealing or changing passwords or password files 
Installing remote-connectivity host software, also known as backdoors 
Installing keystroke logging software 
Configuring of firewall rules 
Stealing of credit card numbers, banking information, personal data, and so on 
Deletion or modification of files 
Sending of inappropriate or even incriminating material from a customer's email account 
Modifying access rights on user accounts or files 
Deleting information from log files to hide such activities

If you need to be certain that your organization is secure, you must reinstall the operating system, and restore files from a backup that was made before the infection took place, and change all passwords that may have been on the infected computers or that were accessible from it. This is the only way to ensure that your systems are safe. For more information regarding security in your organization, contact your system administrator.