Content

W32/Voterai.worm.b

Type
Virus
SubType
Worm
Discovery Date
06/06/2007
Length
97792
Minimum DAT
5048 (06/07/2007)
Updated DAT
6548 (12/02/2011)
Minimum Engine
5.1.00
Description Added
06/06/2007
Description Modified
10/13/2008 2:30 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Upon running, it drops and displays a picture file of "Raila Odinga", this is just an attention drawer. Apart from copying itself to the system Raila Odinga.gif  is also placed on the desktop and repeatedly opened.

In the meantime, the Raila Odinga.exe binary file is being copied silently copied to the windows directory and creates a registry entry to it:

  •  C:\WINDOWS\system32\drivers\Raila Odinga.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "(Default)"
      Data: C:\WINDOWS\system32\drivers\Raila Odinga

It drops an innocent file called "system.dll" having a filesize of 10240 bytes.

  •  c:\Documents and Settings\userxyz\Local Settings\Temp\nsf5.tmp\System.dll
  •  c:\Documents and Settings\userxyz\Local Settings\Temp\nsv3.tmp\System.dll

A link file is added as:

  •  c:\Documents and Settings\userxyz\Start Menu\Programs\Startup\Raila Odinga.lnk

     

     

    • Symptoms

    • Presence of a malicious 32 bit PE file originally called "Raila Odinga.exe" , having a filesize of 97.579 bytes
    • Picture file "Raila Odinga.gif" being placed on the desktop and repeatedly opened automatically in photo editor. 

     

    Method of Infection

    • Manual infection - there's no exploit associated to it

    Removal

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    But in some particular cases, the following steps need to be taken.

    Please go to the Microsoft Recovery Console and restore a clean MBR.

    On Windows XP:

    • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
    • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
    • Select the Windows installation that is compromised and provide the administrator password.
    • Issue 'fixmbr' command to restore the Master Boot Record
    • Follow onscreen instructions.
    • Reset and remove the CD from CD-ROM drive.


    On Windows Vista and 7:

    • Insert the Windows CD into the CD-ROM drive and restart the computer.
    • Click on "Repair Your Computer".
    • When the System Recovery Options dialog comes up, choose the Command Prompt.
    • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
    • Follow onscreen instructions.
    • Reset and remove the CD from CD-ROM drive.

    Variants

    Variants

      N/A

    All Information

    Overview -

    Detection was added to cover for a malicious 32 bit PE file originally called "Raila Odinga.exe" , having a filesize of 97,792 bytes.

    Aliases

    • DR/NSIS.Voter.A (H+Bedv)
    • TROJ_VOTERAI.A (Trend)
    • Trojan.NSIS.Voter.a (Kaspersky)
    • W32/Voterai.worm.b
    • Worm/Generic.BQP (Grisoft)

    Characteristics

    Characteristics -

    Upon running, it drops and displays a picture file of "Raila Odinga", this is just an attention drawer. Apart from copying itself to the system Raila Odinga.gif  is also placed on the desktop and repeatedly opened.

    In the meantime, the Raila Odinga.exe binary file is being copied silently copied to the windows directory and creates a registry entry to it:

    •  C:\WINDOWS\system32\drivers\Raila Odinga.exe
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "(Default)"
        Data: C:\WINDOWS\system32\drivers\Raila Odinga

    It drops an innocent file called "system.dll" having a filesize of 10240 bytes.

    •  c:\Documents and Settings\userxyz\Local Settings\Temp\nsf5.tmp\System.dll
    •  c:\Documents and Settings\userxyz\Local Settings\Temp\nsv3.tmp\System.dll

    A link file is added as:

  •  c:\Documents and Settings\userxyz\Start Menu\Programs\Startup\Raila Odinga.lnk

     

     

    • Symptoms

    Symptoms -

    • Presence of a malicious 32 bit PE file originally called "Raila Odinga.exe" , having a filesize of 97.579 bytes
    • Picture file "Raila Odinga.gif" being placed on the desktop and repeatedly opened automatically in photo editor. 

     

    Method of Infection

    Method of Infection -

    • Manual infection - there's no exploit associated to it

    Removal -

    Removal -

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    But in some particular cases, the following steps need to be taken.

    Please go to the Microsoft Recovery Console and restore a clean MBR.

    On Windows XP:

    • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
    • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
    • Select the Windows installation that is compromised and provide the administrator password.
    • Issue 'fixmbr' command to restore the Master Boot Record
    • Follow onscreen instructions.
    • Reset and remove the CD from CD-ROM drive.


    On Windows Vista and 7:

    • Insert the Windows CD into the CD-ROM drive and restart the computer.
    • Click on "Repair Your Computer".
    • When the System Recovery Options dialog comes up, choose the Command Prompt.
    • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
    • Follow onscreen instructions.
    • Reset and remove the CD from CD-ROM drive.

    Variants

    Variants -

      N/A