Virus

W32/Vote.E@mm

Analysis

  • Virus is 32bit, with file size of 118,784 bytes
  • If virus is executed, it may display a dialogue box referencing the World Trade Center -
    WORLD TRADE CENTER
    WE WILL ALWAYS REMEMBER THOSE LOST SOULS.
    [OK]
  • This dialogue box is followed by another one which is configured using a table of possible message box titles, and message box content – below is just one example of a message – the variations are along the same type and subject as this -
    VICTIM # 9375
    I F*CKED MY STEP SISTER
    BUT SHE NEVER MADE ME C*M
    [OK]
  • Virus may write itself to the hard drive –
    c:\Autorun.com
    c:\NT-Help.com
    c:\Op_Me.co_
    c:\Windows\WTC32.scr
  • Virus may then modify mIRC installations to send the file “Op_Me.co_” to others when joining IRC channels, with the suggestion that it is a program to help the target user become a channel operator, but only if they rename the file to a .COM extension and run it
  • Virus makes modifications to the system registry to change how the infected computer appears and operates, and to load the virus at Windows startup – but all of this becomes irrelevant due to the fact the virus deletes so many system files making the infected computer useless –
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    "Window Title" = "((--USA-->>WTC<<--IRAQ--))"
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\
    "Window Title" = ((--USA-->>WTC<<--IRAQ--))

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    "WtcMsg" = 1
    "WtcSnd" = 1

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\
    "W32Tc" = c:\Windows\WTC32.scr

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\
    "ProductName" = WtC-WoRm-LaMeR
    "RegisteredOwner" = YOU ARE A VICTIM OF THE
    "RegisteredOrganization" = WORLD TRADE CENTER

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
    "Start Page" = c:\Microsoft NT Help.html

  • Virus may write a regedit import file to the hard drive as c:\Pict232.reg – the purpose of the import file is to modify the registry for the P2P file sharing application Kazaa and change the default share folder to the Windows\System32 folder

  • Virus may construct email messages using a table of possible subject lines and body text, then send messages to each contact with two infectious file attachments, one with a .SCR extension, and the other named c:\Plug-In_EXT.dll

  • Virus may attempt to delete files on the hard drive in these locations –
    C:\Windows\System32\*.ocx
    C:\Windows\*.sys
    C:\Windows\*.*

  • Virus may also search the hard drive for files with the following extensions –
    .ai
    .avi
    .bmp
    .com
    .doc
    .frx
    .htm
    .html
    .htt
    .jpg
    .mp3
    .mpg
    .pif
    .psd
    .rar
    .rtf
    .txt
    .vbp
    .wav
    .zip

    and when found, will replace their contents with a copy of the virus, and add an .EXE extension such as ORIGINAL.WAV becomes ORIGINAL.WAV.EXE

  • Virus may then replace all other files found on the hard drive with a copy of itself by the same file name, for instance VOLTRACK.VXD with a size of 18,491 bytes now is 118784 bytes – this file replacement occurs for files with .386, .LNK, .DLL, .EXE and .SCR along with most other files which had not yet been infected