Content

W32/Voterai.worm.f

Type
Virus
SubType
Worm
Discovery Date
12/06/2007
Length
95,918 bytes
Minimum DAT
5179 (12/06/2007)
Updated DAT
5179 (12/06/2007)
Minimum Engine
5.1.00
Description Added
12/06/2007
Description Modified
12/13/2007 2:36 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

W32/Voterai.worm.f is a particularly damaging worm related to elections campaign in Kenya. When started the malware will proceed in turning the user machine in to a complete zombie machine. In fact, it will disable almost every security software that may be installed on the machine, and modify the system registry to disable almost any operation that user may perform, like, for example, rebooting the machine using the start menu, executing the task manager, accessing the control panel and more.

 

As soon as these operations have been performed, the malware will create the following folders on the root of C: drive and also including any mapped drives:

  • C:\My Docs
  • C:\Vista

The following files which are a copy of this worm are created in the folders listed above:

  • My Cv.exe
  • game.exe

This worm also copies itself under different folders all around the computer, and especially under:

  • Document and Settings\All Users\Documents\Music.exe
  • Documents and Settings\All Users\Start Menu\Programs\Startup\defaults.pif
  • %WINDIR%\Debug\explorer.exe
  • % WINDIR%\Installer\winlogon.exe
  • % WINDIR%\Installer\SMSS.exe
  • %SYSDIR%\DLLCACHE\LSASS.EXE
  • %SYSDIR%\DLLCACHE\userinit.exe

 

The following registry keys are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit" = C:\WINDOWS\System32\userinit.exe, C:\WINDOWS\installer\winlogon.exe
  • HKEY_CLASSES_ROOT\Folder\shell\Kibaki "(Default)" = &Emilio Mwai Kibaki
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "HideClock" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoControlPanel" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDrives" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFind" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFolderOptions" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoRun" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableCMD" = 1
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System "DisableCMD" = 1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoControlPanel" = 1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoFolderOptions" = 1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoRun" = 1

 

A file KIB.HTM is created on the root of all drives.  This file runs and displays the following message if an attempt is made to run TaskManager, or open the Registry Editor (Regedit.exe).  

 

 

Additionaly the following registry key is also created so that the browser Home Page is the same image as above.

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" = C:\kib.htm

In addition to this, the malware is able to spread using autorun techniques. Also note that the malware is designed to start even in safe boot mode.

Symptoms

  • The infected machine is completely unusable
  • Inability to shut down the computer using the start menu
  • Propaganda messages popping up

    • Method of Infection

    The malware needs manual activation in order to start its malicious activities. However, it uses social engineering techniques combined with worm capabilities to trick the user into activating it.

    Removal

    All Users:
    Use specified engine and DAT files for detection and removal.

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    W32/Voterai.worm.f is a destructive worm designed to perform a dubious political campaign for Kenya elections.

    It disables many system settings including the Registry and Task Manager.

    Characteristics

    Characteristics -

    W32/Voterai.worm.f is a particularly damaging worm related to elections campaign in Kenya. When started the malware will proceed in turning the user machine in to a complete zombie machine. In fact, it will disable almost every security software that may be installed on the machine, and modify the system registry to disable almost any operation that user may perform, like, for example, rebooting the machine using the start menu, executing the task manager, accessing the control panel and more.

     

    As soon as these operations have been performed, the malware will create the following folders on the root of C: drive and also including any mapped drives:

    • C:\My Docs
    • C:\Vista

    The following files which are a copy of this worm are created in the folders listed above:

    • My Cv.exe
    • game.exe

    This worm also copies itself under different folders all around the computer, and especially under:

    • Document and Settings\All Users\Documents\Music.exe
    • Documents and Settings\All Users\Start Menu\Programs\Startup\defaults.pif
    • %WINDIR%\Debug\explorer.exe
    • % WINDIR%\Installer\winlogon.exe
    • % WINDIR%\Installer\SMSS.exe
    • %SYSDIR%\DLLCACHE\LSASS.EXE
    • %SYSDIR%\DLLCACHE\userinit.exe

     

    The following registry keys are created:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit" = C:\WINDOWS\System32\userinit.exe, C:\WINDOWS\installer\winlogon.exe
    • HKEY_CLASSES_ROOT\Folder\shell\Kibaki "(Default)" = &Emilio Mwai Kibaki
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "HideClock" = 1
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoControlPanel" = 1
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDrives" = 1
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFind" = 1
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFolderOptions" = 1
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoRun" = 1
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableCMD" = 1
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System "DisableCMD" = 1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoControlPanel" = 1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoFolderOptions" = 1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoRun" = 1

     

    A file KIB.HTM is created on the root of all drives.  This file runs and displays the following message if an attempt is made to run TaskManager, or open the Registry Editor (Regedit.exe).  

     

     

    Additionaly the following registry key is also created so that the browser Home Page is the same image as above.

    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" = C:\kib.htm

    In addition to this, the malware is able to spread using autorun techniques. Also note that the malware is designed to start even in safe boot mode.

    Symptoms

    Symptoms -

  • The infected machine is completely unusable
  • Inability to shut down the computer using the start menu
  • Propaganda messages popping up

    • Method of Infection

    Method of Infection -

    The malware needs manual activation in order to start its malicious activities. However, it uses social engineering techniques combined with worm capabilities to trick the user into activating it.

    Removal -

    Removal -

    All Users:
    Use specified engine and DAT files for detection and removal.

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A