Home / malware Email-Worm:W32/Vote.B
First posted on 30 July 2010.
Source: SecurityHomeAliases :
There are no other names known for Email-Worm:W32/Vote.B.
Explanation :
This type of worm is embedded in an e-mail attachment, and spreads using the infected computer's e-mailing networks.
Additional DetailsEmail-Worm:W32/Vote.B shares similar code to its predecessor, Vote.A, but includes a number of significant differences in function.
A more recent variant, Vote.C, combines features of Vote.A and Vote.B. Vote.C is functionally identical to Vote.B, but is propagated via e-mail messages identical to those used to distribute Vote.A.
Propagation
Vote.B propagates in e-mail messages that look like this:
€ From: name-of-the-infected-user € To: random-name-from-address-book € Subject: Fwd: This War Must Be Done !
Hi
We Must Fight , We Must ReMemBer Our Victims!
€ Attachment: WTC.exe
Installation
Vote.B drops the following files:
€ [windows_dir]\Anti_TeRRoRisM.exe - worm binary € [windows_dir]\MixDaLaL.vbs - HTML destroyer script € [system_dir]\DaLaL.vbs - first part of payload € [system_dir]\WaiL.vbs - second part of payload
Unlike Vote.A, Vote.B does not try to remove any anti-virus program.
Activity
The payload routine was split to two parts. The first one tries to modify autoexec.bat and registers the second part. Autoexec.bat modification fortunately still does not work.
The second part of the script is the one that deletes all the files from Windows folder then displays the following message:Last update 30 July 2010
