Subject: Sophos Anti-Virus IDE alert: W32/Vote-B

Name: W32/Vote-B
Type: Win32 worm
Date: 27 September 2001

Description:

W32/Vote-B is an email-aware worm, very similar to W32/Vote-A.

Subject line: Fwd: This War Must Be Done !

Message text:

Hi
We Must Fight , We Must ReMemBer Our Victims!
No Peace Before KiLLing TeRRoRists !

Attached file: ANTI_TERRORISM.EXE

When the worm is run it will send itself to entries in your Outlook Address Book.

It will drop and run a Visual Basic script
C:\WINDOWS\MIXDALAL.VBS which SAV detects as VBS/Vote-A. This script will search all drives (hard disks and network drives) for webpages with an HTM or HTML extension. The files will be overwritten with a single line of text:

AmeRiCa...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You.

The worm sets the browser homepage to:

about:I SwEar , We WiLL Rule This World SooN !!!

and opens two Internet Explorer windows. One window will contain the following text in a large font with blue and red characters:

AmeRiCa... YouR Last Day Is Cumin Soon!

The other window will attempt to download a file TimeUpdate.exe from us.f1.yahoofs.com. This file is a password-stealing Trojan detected as Troj/Barrio.

The worm will drop another script in C:\Windows\system\DaLaL.vbs and add a registry entry to ensure that the script is run on startup.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ZaCker = C:\Windows\system\DaLaL.vbs

This script amends AUTOEXEC.BAT so that the C: drive will be formatted on reboot.

It also adds another registry key which will activate a third script dropped by the worm.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AlWaiL = C:\Windows\system\WaiL.vbs

If the harddisk is not sucessfully formatted this third script attempts to delete all files in the Windows directory and then displays the message "We are ReaDy To Die For What We Believe In !! BYE".