W32/Vote.A@mm
Analysis
- Virus is 32bit with file size of 55,808 bytes
- Virus was coded in Visual Basic 6 and requires
VB6 runtime files in order to be a threat
- If run on a host system, virus may send itself
as a single message to each contact listed in the
Outlook Address Book in this format -
Subject = Fwd:Peace BeTweeN AmeriCa And IsLaM !
Body =
Hi
iS iT A waR Against AmeriCa Or IsLaM !?
Let's Vote To Live in Peace!
Attachment = WTC.exe -
Virus creates several files on the local system -
C:\Windows\MixDaLaL.vbs - 1370 bytes
C:\Windows\WTC.exe - 55808 bytes
C:\Windows\System\ZaCker.vbs - 653 bytes -
The virus initiates the file "MixDaLaL.vbs" - this VBScript component contains instructions which will replace the contents of all .HTM and .HTML files in all drives with a short text, then make the attribute of those files "hidden"
-
Next, the virus will modify the registry to load a VBS component at next Windows startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
Norton.Thar=C:\WINDOWS\SYSTEM\ZaCker.vbs -
The component "ZaCker.vbs" contains instructions to delete all files in the Windows folder - the component also attempts to:
- overwrite C:\AUTOEXEC.BAT with the instruction
"echo y | format C:"
- display a message "I promiss We WiLL Rule
The World Again...By The Way,You Are Captured
By ZaCker !!!"
- exit Windows
- overwrite C:\AUTOEXEC.BAT with the instruction
"echo y | format C:"
- The "Company Name" field in the file
properties of WTC.exe is "ZaCker".
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |