W32/Vote.K@mm
Analysis
- Virus is 32bit with a file size of 102400 bytes
and was coded using Visual Basic 6 - the virus relies
on MSVBVM60.DLL in order to be a threat
- If the virus is run, it will persistently display
numerous dialogue boxes with rhetoric directed towards
the destruction of the World Trade Center buildings
which occurred September 11, 2001 - the message boxes
will become too numerous and will eventually clog
the machine to the point nothing productive can occur
- The virus will replace the contents of files with
the extensions .COM, .EXE and .SCR with a copy of
itself by the same name - this in essence will
make any other changes made to the computer meaningless
because the computer will then become unusable
- The virus will write itself to the local machine
in numerous places and may end up replacing existing
files -
c:\Windows\WTC32.scr
c:\windows\notepad.exe
c:\NT-Help.com
c:\Op_Me.co_
-
The virus modifies the SCRIPT.INI configuration file for mIRC in an effort to distribute itself as the file "Op_Me.co_" when the user joins IRC channels - the modified script will send a message suggesting that the file which will be sent is a program which will give the recipient "operator status" and that they should rename the received file to a .COM extension prior to running it -
"Hello.. Do you wanna be an operator of this channel? Here's a software from mIRCx.. First, you'll have to convert it to a .com file then walk it and become a channel operator instantly... "
-
The virus will change the registry to allow file sharing by the peer-to-peer file sharing application Kazaa and to set the shared folder for Kazaa to the root of drive C and also a newly created folder -
HKEY_CURRENT_USER\Software\Kazaa\LocalContent
"DisableSharing\"=dword:00000000
"Dir0"="012345:C:\Windows\Systm32\"
"Dir1"="012345:C:\"
-
The virus may write a VBScript to the local system as "c:\windows\temp\AR.vbs" - this
VBScript file contains instructions to delete files matching this criteria -C:\Windows\System32\*.dll
C:\Windows\System32\*.ocx
C:\Windows\*.sys
-
The VBScript may load from the system registry due to the virus changing the registry -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
DLLScan" = "c:\windows\temp\AR.vbs"
-
The virus will attempt to send itself by email in the following format -
Subject: THE WAR HAS STARTED !
Body:
THE WAR IS NOT A JOKE !... THERE IS ONE BUILDING UP RIGHT NOW
Let's Unite In This Horrible Kaos. Fight For Us....!!!
...And Let Us Remember Those Lost Souls ! WE COUNT ON YOU !
Greetings,
World War Veterans.
Attachment: wtc32.scr
-
The virus may attempt to send a note to everyone on the same network using the "net send" instruction -
"I Am A Victim Of The WTC Worm !"
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |