W32/Vote.K@mm

Analysis

• Virus is 32bit with a file size of 102400 bytes and was coded using Visual Basic 6 - the virus relies on MSVBVM60.DLL in order to be a threat
  
• If the virus is run, it will persistently display numerous dialogue boxes with rhetoric directed towards the destruction of the World Trade Center buildings which occurred September 11, 2001 - the message boxes will become too numerous and will eventually clog the machine to the point nothing productive can occur
  
• The virus will replace the contents of files with the extensions .COM, .EXE and .SCR with a copy of itself by the same name - this in essence will make any other changes made to the computer meaningless because the computer will then become unusable
  
• The virus will write itself to the local machine in numerous places and may end up replacing existing files -

  c:\Windows\WTC32.scr
  c:\windows\notepad.exe
  c:\NT-Help.com
  c:\Op_Me.co_
  

• The virus modifies the SCRIPT.INI configuration file for mIRC in an effort to distribute itself as the file "Op_Me.co_" when the user joins IRC channels - the modified script will send a message suggesting that the file which will be sent is a program which will give the recipient "operator status" and that they should rename the received file to a .COM extension prior to running it -

  "Hello.. Do you wanna be an operator of this channel? Here's a software from mIRCx.. First, you'll have to convert it to a .com file then walk it and become a channel operator instantly... "
  

• The virus will change the registry to allow file sharing by the peer-to-peer file sharing application Kazaa and to set the shared folder for Kazaa to the root of drive C and also a newly created folder -

  HKEY_CURRENT_USER\Software\Kazaa\LocalContent
  "DisableSharing\"=dword:00000000
  "Dir0"="012345:C:\Windows\Systm32\"
  "Dir1"="012345:C:\"
  

• The virus may write a VBScript to the local system as "c:\windows\temp\AR.vbs" - this
  VBScript file contains instructions to delete files matching this criteria -

  C:\Windows\System32\*.dll
  C:\Windows\System32\*.ocx
  C:\Windows\*.sys
  

• The VBScript may load from the system registry due to the virus changing the registry -

  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
  DLLScan" = "c:\windows\temp\AR.vbs"
  

• The virus will attempt to send itself by email in the following format -

  Subject: THE WAR HAS STARTED !
  Body:
  THE WAR IS NOT A JOKE !... THERE IS ONE BUILDING UP RIGHT NOW
  Let's Unite In This Horrible Kaos. Fight For Us....!!!
  ...And Let Us Remember Those Lost Souls ! WE COUNT ON YOU !
  Greetings,
  World War Veterans.
  Attachment: wtc32.scr
  

• The virus may attempt to send a note to everyone on the same network using the "net send" instruction -

  "I Am A Victim Of The WTC Worm !"