W32/Vote.E@mm
Analysis
- Virus is 32bit, with file size of 118,784 bytes
- If virus is executed, it may display a dialogue
box referencing the World Trade Center -
WORLD TRADE CENTER
WE WILL ALWAYS REMEMBER THOSE LOST SOULS.
[OK]
- This dialogue box is followed by another one which
is configured using a table of possible message box
titles, and message box content – below is just
one example of a message – the variations are
along the same type and subject as this -
VICTIM # 9375
I F*CKED MY STEP SISTER
BUT SHE NEVER MADE ME C*M
[OK]
- Virus may write itself to the hard drive –
c:\Autorun.com
c:\NT-Help.com
c:\Op_Me.co_
c:\Windows\WTC32.scr
- Virus may then modify mIRC installations to send
the file “Op_Me.co_” to others when joining
IRC channels, with the suggestion that it is a program
to help the target user become a channel operator,
but only if they rename the file to a .COM extension
and run it
- Virus makes modifications to the system registry
to change how the infected computer appears and operates,
and to load the virus at Windows startup – but
all of this becomes irrelevant due to the fact the
virus deletes so many system files making the infected
computer useless –
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Window Title" = "((--USA-->>WTC<<--IRAQ--))"
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\
"Window Title" = ((--USA-->>WTC<<--IRAQ--))HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
"WtcMsg" = 1
"WtcSnd" = 1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
"W32Tc" = c:\Windows\WTC32.scrHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\
"ProductName" = WtC-WoRm-LaMeR
"RegisteredOwner" = YOU ARE A VICTIM OF THE
"RegisteredOrganization" = WORLD TRADE CENTERHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
"Start Page" = c:\Microsoft NT Help.html
-
Virus may write a regedit import file to the hard drive as c:\Pict232.reg – the purpose of the import file is to modify the registry for the P2P file sharing application Kazaa and change the default share folder to the Windows\System32 folder
-
Virus may construct email messages using a table of possible subject lines and body text, then send messages to each contact with two infectious file attachments, one with a .SCR extension, and the other named c:\Plug-In_EXT.dll
-
Virus may attempt to delete files on the hard drive in these locations –
C:\Windows\System32\*.ocx
C:\Windows\*.sys
C:\Windows\*.*
-
Virus may also search the hard drive for files with the following extensions –
.ai
.avi
.bmp
.com
.doc
.frx
.htm
.html
.htt
.jpg
.mp3
.mpg
.pif
.psd
.rar
.rtf
.txt
.vbp
.wav
.zipand when found, will replace their contents with a copy of the virus, and add an .EXE extension such as ORIGINAL.WAV becomes ORIGINAL.WAV.EXE
-
Virus may then replace all other files found on the hard drive with a copy of itself by the same file name, for instance VOLTRACK.VXD with a size of 18,491 bytes now is 118784 bytes – this file replacement occurs for files with .386, .LNK, .DLL, .EXE and .SCR along with most other files which had not yet been infected
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |