Home / malwarePDF  

Worm:Win32/Voterai.G


First posted on 17 July 2010.
Source: SecurityHome

Aliases :

Worm:Win32/Voterai.G is also known as Win32/Voter.worm.163840 (AhnLab), Trojan.NSIS.Voter.a (Kaspersky), TR/Drop.Voter.A.1 (Avira), NSIS/Voter (ESET), W32/Voterai.worm.b (McAfee), W32/Voter.D.worm (Panda), Trojan.Win32.NSIS.a (Rising AV), Mal/Voterai-A (Sophos), W32.Voterai (Symantec), WORM_VOTERAI.N (Trend Micro).

Explanation :

Worm:Win32/Voterai.G is a worm that spreads to all writeable drives. It drops and displays a distinct image, making it easy to identify infection.
Top

Worm:Win32/Voterai.G is a worm that spreads to all writeable drives. It drops and displays a distinct image, making it easy to identify infection. Installation Upon execution, Worm:Win32/Voterai.G drops a copy of itself in the computer as the following:

  • <system folder>\drivers\<malware file name>.exe
    • Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. It also modifies the registry so that it automatically runs every time Windows starts: Adds value: "@" With data: "<system folder>\drivers\<malware file name>.exe" To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run It also drops the following shortcuts, which when executed run its dropped copy: %UserProfile%\Recent\Raila Odinga.gif.lnk %UserProfile%\Start Menu\Programs\Startup\<malware file name>.lnk It also drops and displays the following image file: %UserProfile%\Desktop\Raila Odinga.gif A part of this image file is shown below: Spreads Via... Logical drives Worm:Win32/Voterai.G spreads by copying itself to all writeable drives, including removable drives. It drops the following files:
  • Raila Odinga.gif - similar to the image displayed above
  • smss.exe - copy of this worm
  • autorun.inf - file that enables the worm copy to automatically run when the drive is accessed and Autorun is enabled


    • Analysis by Francis Allan Tan Seng

    Last update 17 July 2010

     

    TOP

    Malware :

    Family: