Virus

W32/Vote.K@mm

Analysis

  • Virus is 32bit with a file size of 102400 bytes and was coded using Visual Basic 6 - the virus relies on MSVBVM60.DLL in order to be a threat
  • If the virus is run, it will persistently display numerous dialogue boxes with rhetoric directed towards the destruction of the World Trade Center buildings which occurred September 11, 2001 - the message boxes will become too numerous and will eventually clog the machine to the point nothing productive can occur
  • The virus will replace the contents of files with the extensions .COM, .EXE and .SCR with a copy of itself by the same name - this in essence will make any other changes made to the computer meaningless because the computer will then become unusable
  • The virus will write itself to the local machine in numerous places and may end up replacing existing files -

    c:\Windows\WTC32.scr
    c:\windows\notepad.exe
    c:\NT-Help.com
    c:\Op_Me.co_

  • The virus modifies the SCRIPT.INI configuration file for mIRC in an effort to distribute itself as the file "Op_Me.co_" when the user joins IRC channels - the modified script will send a message suggesting that the file which will be sent is a program which will give the recipient "operator status" and that they should rename the received file to a .COM extension prior to running it -

    "Hello.. Do you wanna be an operator of this channel? Here's a software from mIRCx.. First, you'll have to convert it to a .com file then walk it and become a channel operator instantly... "

  • The virus will change the registry to allow file sharing by the peer-to-peer file sharing application Kazaa and to set the shared folder for Kazaa to the root of drive C and also a newly created folder -

    HKEY_CURRENT_USER\Software\Kazaa\LocalContent
    "DisableSharing\"=dword:00000000
    "Dir0"="012345:C:\Windows\Systm32\"
    "Dir1"="012345:C:\"

  • The virus may write a VBScript to the local system as "c:\windows\temp\AR.vbs" - this
    VBScript file contains instructions to delete files matching this criteria -

    C:\Windows\System32\*.dll
    C:\Windows\System32\*.ocx
    C:\Windows\*.sys

  • The VBScript may load from the system registry due to the virus changing the registry -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    DLLScan" = "c:\windows\temp\AR.vbs"

  • The virus will attempt to send itself by email in the following format -

    Subject: THE WAR HAS STARTED !
    Body:
    THE WAR IS NOT A JOKE !... THERE IS ONE BUILDING UP RIGHT NOW
    Let's Unite In This Horrible Kaos. Fight For Us....!!!
    ...And Let Us Remember Those Lost Souls ! WE COUNT ON YOU !
    Greetings,
    World War Veterans.
    Attachment: wtc32.scr

  • The virus may attempt to send a note to everyone on the same network using the "net send" instruction -

    "I Am A Victim Of The WTC Worm !"