W32/Vote.D@mm
Analysis
-
Virus is 32bit, with file size of 61,440 bytes
- If virus is executed, it may display a dialogue
box referencing the World Trade Center -
WORLD TRADE CENTER
WE WILL ALWAYS REMEMBER THOSE LOST SOULS.
[OK]
- This dialogue box is followed by another one which
is configured using a table of possible message box
titles, and message box content – below is just
one example of a message – the variations are
along the same type and subject as this -
VICTIM # 6480
I LOVED MY GIRLFRIEND. I GUESS SHE NEVER CAME BACK BECAUSE SHE DIED C*MMING
WHILE F*CKING MY FATHER
[OK]
- Virus may write itself to the hard drive –
c:\Autorun.com
c:\Windows\WTC32.scr
-
Virus modifies the registry so that the start page for Internet Explorer will point to the local file WTC32.scr -
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
"Start Page" = c:\Windows\WTC32.scr
-
Virus makes modifications to the system registry to change how the infected computer appears and operates, and to load the virus at Windows startup –
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
"WtcSnd" = 1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"W32Tc" = c:\Windows\WTC32.scr -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\
"ProductName" = w32.hllp.I-Worm.WTC.03
"RegisteredOwner" = YOU ARE A VICTIM OF THE
"RegisteredOrganization" = WORLD TRADE CENTER
-
Virus may construct email messages using a table of possible subject lines and body text, then send as an email attachment named “WTC32.scr”
-
Virus may also search the hard drive for files with the following extensions –
.bmp
.jpg
.wav
.zipand when found, will replace their contents with a copy of the virus, and add an .EXE extension such as ORIGINAL.WAV becomes ORIGINAL.WAV.EXE
-
Virus may then replace all .EXE and .SCR files found on the hard drive with a copy of itself by the same file name, for instance WINFILE.EXE with a size of 155,424 bytes now is 61,440 bytes
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |