WIN32/VOTE.55808

A new worm, W32/Vote.A hit the streets yesterday (09/24/01), taking advantage of the current social and political climate in the aftermath of the terrorist attack on the WTC.

The worm arrives in an e-mail attachment of a message with the following Subject:

Fwd: Peace be between America and Islam!

The body of the message urges its recipient to vote on the life in peace. It reads:

Hi Is it a war against America or Islam ! ? Let's vote to live in peace!

When the attachment WTC.EXE is executed, e-mails are generated to all addresses within the Outlook address book. The worm further drops a Visual Basic Script (DETECTED by NOD32 before any need to update the system!) which searches across all the drives to overwrite htm and html files with the following text:

America . .. Few days will show you what we can do !!! It's our turn >>> Zacker is so sorry for you.

In addition, the worm changes the browser homepage just to allow download of a password stealing Trojan onto infected computer. Subsequently, the worm attempts to disable certain antivirus programs from the computer deleting their corresponding installation directories.

Finally, the worm drops another VBS script (zacker.vbs) in the Windows system directory and adds a new registry entry to provide the script follow up execution after restart of the infected computer. The role of this script is to delete all the files in the windows directory and add a new command to the autoexec.bat file attempting to reformate the hard drive after the reboot. The worm says good bye by displaying the following message:

I promiss we will rule the world again... By the way, you are captured by Zacker !!!

NOD32 users with version 1.109 and higher are protected against all worm payload.