Subject: Sophos Anti-Virus IDE alert: W32/Vote-B
Name: W32/Vote-B
Type: Win32 worm
Date: 27 September 2001
Description:
W32/Vote-B is an email-aware worm, very similar to W32/Vote-A.
Subject line: Fwd: This War Must Be Done !
Message text:
Hi
We Must Fight , We Must ReMemBer Our Victims!
No Peace Before KiLLing TeRRoRists !
Attached file: ANTI_TERRORISM.EXE
When the worm is run it will send itself to entries in your
Outlook Address Book.
It will drop and run a Visual Basic script
C:\WINDOWS\MIXDALAL.VBS which SAV detects as VBS/Vote-A. This
script will search all drives (hard disks and network drives)
for webpages with an HTM or HTML extension. The files will be
overwritten with a single line of text:
AmeRiCa...Few Days WiLL Show You What We Can Do !!! It's Our
Turn >>> ZaCkEr is So Sorry For You.
The worm sets the browser homepage to:
about:I SwEar , We WiLL Rule This World SooN !!!
and opens two Internet Explorer windows. One window will contain
the following text in a large font with blue and red characters:
AmeRiCa... YouR Last Day Is Cumin Soon!
The other window will attempt to download a file TimeUpdate.exe
from us.f1.yahoofs.com. This file is a password-stealing Trojan
detected as Troj/Barrio.
The worm will drop another script in C:\Windows\system\DaLaL.vbs
and add a registry entry to ensure that the script is run on
startup.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ZaCker =
C:\Windows\system\DaLaL.vbs
This script amends AUTOEXEC.BAT so that the C: drive will be
formatted on reboot.
It also adds another registry key which will activate a third
script dropped by the worm.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AlWaiL =
C:\Windows\system\WaiL.vbs
If the harddisk is not sucessfully formatted this third script
attempts to delete all files in the Windows directory and then
displays the message "We are ReaDy To Die For What We Believe In
!! BYE".