McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Vote (AVP)

• TROJ_VOTE.A (Trend)

• W32.Vote.A@mm (NAV)

• W32/Vote.defaced

• W32/Vote.vbs

• W32/Vote@MM

• Win32.Vote.A (CA)

Characteristics

--- Update June 02, 2003 ---
AVERT have received 2 more variants of this worm - W32/Vote.d@MM (detected proactively as "New Worm") and W32/Vote.e@MM (proactively detected as W32/GenericP2P.worm).
---

--- Update September 25, 2001 ---
AVERT has received very few customer samples of this threat.
---

This mass-mailing worm is detected heuristically, with program heuristics turned on, as New Backdoor with the 4100 (or newer) DAT files. Full non-heuristic detection was included in the 4163 DATs.

W32/Vote@MM is a mass-mailing worm which can delete system files. It arrives with an email message containing the following information:

Subject: Fwd:Peace BeTweeN AmeriCa And IsLaM !
Body:

Hi
iS iT A waR Against AmeriCa Or IsLaM !?
Let's Vote To Live in Peace!

Attachment: WTC.EXE

When the attachment is run, two VBScript files are created, MixDaLaL.vbs and ZaCker.vbs. MixDaLaL.vbs is saved to the WINDOWS directory and run immediately. It overwrites all .HTM and .HTML files on all fixed and network drives with the text:

AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You .

The hidden file attribute is also set on these files.

ZaCker.vbs is created in the WINDOWS SYSTEM directory and a registry key is created to run this file at startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Norton.Thar=C:\WINDOWS\SYSTEM\ZaCker.vbs

ZaCker.vbs contains instructions to delete all files in the WINDOWS directory, add a FORMAT C: command to the AUTOEXEC.BAT file (this action fails), display a message box containing the text "I promiss We WiLL Rule The World Again...By The Way,You Are Captured By ZaCker !!!", and exit Windows (this fails as well).

The main executable attempts to delete anti-virus software from specific directories. It also tried to download a trojan from a YAHOO users site, which is detected as PWS-CT with the 4088 DATs and greater.

Symptoms

- Overwritten .HTM and .HTML files
- Files missing from the WINDOWS directory and subdirectories
- Email correspondents telling you that you've sent them a virus when you did not knowingly do so

Method of Infection

This virus arrives as an email attachment. Executing this attachment causes the virus to send itself to all users found in the Microsoft Outlook Address Book.

Removal

Use specified engine and DAT files for detection and removal.

Delete any file which contains this detection.

Overwritten/deleted files must be restored from backup or reinstalled. As this threat deletes system files it may be necessary to reinstall the operating system and potentially other applications (especially anti-virus software) as well. Simply finding an infected file on your computer doesn't necessarily warrant this action as it is contingent on the virus actually executing certain parts of its code.

1) Ensure that your anti-virus software will run without errors (reinstall if necessary).
2) Scan and repair your system.
3) If files are missing and error message are displayed, reinstall the operating system.
4) If files are still missing and error messages are still being displayed, reinstall any application that is not functioning properly.
5) Restore any .HTM and .HTML files which were overwritten by the virus and deleted by the scanner.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Vote (AVP)

• TROJ_VOTE.A (Trend)

• W32.Vote.A@mm (NAV)

• W32/Vote.defaced

• W32/Vote.vbs

• W32/Vote@MM

• Win32.Vote.A (CA)

Characteristics

Characteristics -

--- Update June 02, 2003 ---
AVERT have received 2 more variants of this worm - W32/Vote.d@MM (detected proactively as "New Worm") and W32/Vote.e@MM (proactively detected as W32/GenericP2P.worm).
---

--- Update September 25, 2001 ---
AVERT has received very few customer samples of this threat.
---

This mass-mailing worm is detected heuristically, with program heuristics turned on, as New Backdoor with the 4100 (or newer) DAT files. Full non-heuristic detection was included in the 4163 DATs.

W32/Vote@MM is a mass-mailing worm which can delete system files. It arrives with an email message containing the following information:

Subject: Fwd:Peace BeTweeN AmeriCa And IsLaM !
Body:

Hi
iS iT A waR Against AmeriCa Or IsLaM !?
Let's Vote To Live in Peace!

Attachment: WTC.EXE

When the attachment is run, two VBScript files are created, MixDaLaL.vbs and ZaCker.vbs. MixDaLaL.vbs is saved to the WINDOWS directory and run immediately. It overwrites all .HTM and .HTML files on all fixed and network drives with the text:

AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You .

The hidden file attribute is also set on these files.

ZaCker.vbs is created in the WINDOWS SYSTEM directory and a registry key is created to run this file at startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Norton.Thar=C:\WINDOWS\SYSTEM\ZaCker.vbs

ZaCker.vbs contains instructions to delete all files in the WINDOWS directory, add a FORMAT C: command to the AUTOEXEC.BAT file (this action fails), display a message box containing the text "I promiss We WiLL Rule The World Again...By The Way,You Are Captured By ZaCker !!!", and exit Windows (this fails as well).

The main executable attempts to delete anti-virus software from specific directories. It also tried to download a trojan from a YAHOO users site, which is detected as PWS-CT with the 4088 DATs and greater.

Symptoms

Symptoms -

- Overwritten .HTM and .HTML files
- Files missing from the WINDOWS directory and subdirectories
- Email correspondents telling you that you've sent them a virus when you did not knowingly do so

Method of Infection

Method of Infection -

This virus arrives as an email attachment. Executing this attachment causes the virus to send itself to all users found in the Microsoft Outlook Address Book.

Removal -

Removal -

Use specified engine and DAT files for detection and removal.

Delete any file which contains this detection.

Overwritten/deleted files must be restored from backup or reinstalled. As this threat deletes system files it may be necessary to reinstall the operating system and potentially other applications (especially anti-virus software) as well. Simply finding an infected file on your computer doesn't necessarily warrant this action as it is contingent on the virus actually executing certain parts of its code.

1) Ensure that your anti-virus software will run without errors (reinstall if necessary).
2) Scan and repair your system.
3) If files are missing and error message are displayed, reinstall the operating system.
4) If files are still missing and error messages are still being displayed, reinstall any application that is not functioning properly.
5) Restore any .HTM and .HTML files which were overwritten by the virus and deleted by the scanner.

Variants

Variants -

N/A