W32/Vote.D@mm

Analysis

• Virus is 32bit, with file size of 61,440 bytes
  
• If virus is executed, it may display a dialogue box referencing the World Trade Center -
  WORLD TRADE CENTER
  WE WILL ALWAYS REMEMBER THOSE LOST SOULS.
  [OK]
  
• This dialogue box is followed by another one which is configured using a table of possible message box titles, and message box content – below is just one example of a message – the variations are along the same type and subject as this -
  VICTIM # 6480
  I LOVED MY GIRLFRIEND. I GUESS SHE NEVER CAME BACK BECAUSE SHE DIED C*MMING
  WHILE F*CKING MY FATHER
  [OK]
  
• Virus may write itself to the hard drive –

  c:\Autorun.com
  c:\Windows\WTC32.scr
  

• Virus modifies the registry so that the start page for Internet Explorer will point to the local file WTC32.scr -
  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
  "Start Page" = c:\Windows\WTC32.scr
  

• Virus makes modifications to the system registry to change how the infected computer appears and operates, and to load the virus at Windows startup –
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  "WtcSnd" = 1
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
  "W32Tc" = c:\Windows\WTC32.scr

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\
  "ProductName" = w32.hllp.I-Worm.WTC.03
  "RegisteredOwner" = YOU ARE A VICTIM OF THE
  "RegisteredOrganization" = WORLD TRADE CENTER
  

• Virus may construct email messages using a table of possible subject lines and body text, then send as an email attachment named “WTC32.scr”

• Virus may also search the hard drive for files with the following extensions –
  .bmp
  .jpg
  .wav
  .zip

  and when found, will replace their contents with a copy of the virus, and add an .EXE extension such as ORIGINAL.WAV becomes ORIGINAL.WAV.EXE

• Virus may then replace all .EXE and .SCR files found on the hard drive with a copy of itself by the same file name, for instance WINFILE.EXE with a size of 155,424 bytes now is 61,440 bytes