W32/Vote.E@mm

description-logoAnalysis

  • Virus is 32bit, with file size of 118,784 bytes
  • If virus is executed, it may display a dialogue box referencing the World Trade Center -
    WORLD TRADE CENTER
    WE WILL ALWAYS REMEMBER THOSE LOST SOULS.
    [OK]
  • This dialogue box is followed by another one which is configured using a table of possible message box titles, and message box content – below is just one example of a message – the variations are along the same type and subject as this -
    VICTIM # 9375
    I F*CKED MY STEP SISTER
    BUT SHE NEVER MADE ME C*M
    [OK]
  • Virus may write itself to the hard drive –
    c:\Autorun.com
    c:\NT-Help.com
    c:\Op_Me.co_
    c:\Windows\WTC32.scr
  • Virus may then modify mIRC installations to send the file “Op_Me.co_” to others when joining IRC channels, with the suggestion that it is a program to help the target user become a channel operator, but only if they rename the file to a .COM extension and run it
  • Virus makes modifications to the system registry to change how the infected computer appears and operates, and to load the virus at Windows startup – but all of this becomes irrelevant due to the fact the virus deletes so many system files making the infected computer useless –
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    "Window Title" = "((--USA-->>WTC<<--IRAQ--))"
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\
    "Window Title" = ((--USA-->>WTC<<--IRAQ--))

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    "WtcMsg" = 1
    "WtcSnd" = 1

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\
    "W32Tc" = c:\Windows\WTC32.scr

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\
    "ProductName" = WtC-WoRm-LaMeR
    "RegisteredOwner" = YOU ARE A VICTIM OF THE
    "RegisteredOrganization" = WORLD TRADE CENTER

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
    "Start Page" = c:\Microsoft NT Help.html

  • Virus may write a regedit import file to the hard drive as c:\Pict232.reg – the purpose of the import file is to modify the registry for the P2P file sharing application Kazaa and change the default share folder to the Windows\System32 folder

  • Virus may construct email messages using a table of possible subject lines and body text, then send messages to each contact with two infectious file attachments, one with a .SCR extension, and the other named c:\Plug-In_EXT.dll

  • Virus may attempt to delete files on the hard drive in these locations –
    C:\Windows\System32\*.ocx
    C:\Windows\*.sys
    C:\Windows\*.*

  • Virus may also search the hard drive for files with the following extensions –
    .ai
    .avi
    .bmp
    .com
    .doc
    .frx
    .htm
    .html
    .htt
    .jpg
    .mp3
    .mpg
    .pif
    .psd
    .rar
    .rtf
    .txt
    .vbp
    .wav
    .zip

    and when found, will replace their contents with a copy of the virus, and add an .EXE extension such as ORIGINAL.WAV becomes ORIGINAL.WAV.EXE

  • Virus may then replace all other files found on the hard drive with a copy of itself by the same file name, for instance VOLTRACK.VXD with a size of 18,491 bytes now is 118784 bytes – this file replacement occurs for files with .386, .LNK, .DLL, .EXE and .SCR along with most other files which had not yet been infected

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR