Home > General > Worm_vote.k

Worm_vote.k

Registered in Ireland No. 364963. [email protected] and its destructive variants have been consolidated. Deleting Grayware File/Link Right-click Start then click Search... It also drops WTC.TXT file into the root of C:\ drive. Source

The worm has a lot of bugs and many of its features don't work. Advertisement ladyjeweler Thread Starter Joined: Sep 25, 2002 Messages: 1,047 WORM_VOTE.K Virus type: Worm Destructive: Yes Aliases: [emailprotected], Win32:WTC-Voted [Wrm] Overall risk rating: Low Reported infections: Low Damage Potential: High Distribution However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Once found, the it deletes these files and drops the malicious HTML file using the name of the deleted files, appending an HTM extension to the name.

We observed the worm sending the following e-mails: Subject: . Overwrites all EXE, COM and SCR files on entire hard disk with its body. 4. or Find..., depending on the version of Windows you are running. The following text strings can be found in this worms body: We Will Always Remember Those Lost Souls W.T.C.

  1. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
  2. Attached File: WTC32.SCR and WTC32.DLL Note: %Email address% is the the email address of the recipient and %s% is any of the following strings: NOW OUR MISSION: DEATH ?
  3. Close all Internet Explorer windows.
  4. Attachments: WTC32.SCR WTC32.DLL %Email address% is the the email address of the recipient and %s% can be any of the following text strings: NOW OUR MISSION: DEATH ?
  5. No Peace Before KiLLing TeRRoRists!Attachment: anti_terrorism.exe All three worms display the following message when they are executed: I promiss We WiLL Rule The World AgainBy The Way, You Are Captured By
  6. In the Named...
  7. The AVP weekly updates are available for registered AVP users at the following link: AVP The Central Command Virus Answer for [email protected] is available at the following link: Virus Answer.

To do this, Trend Micro customers must download the latest pattern file and scan their system. By design it should have saved there the following files: 18_Britney_Sucking_Sex_ Teen_Pussy_Hardcore_Sex_ XXX_Christina_Celebrities_Pamela_Sex_Screensaver_ XXX_Teens_Hot_Gauge_Aria_Jennifer_Sex_Screensaver_ F*cking_Hot_Horny_Screensaver_ Orgy_Incest_Illegal_Sex_ These files would have had the following extensions: .jpg.scr .mpg.scr .avi.scr 7. Solution: Terminating the Malware Program This procedure terminates the running malware process from memory. Populære produkter: Worry-Free Advanced OfficeScan Deep Security Endepunktkryptering Søk:Submit Home>Security Intelligence>Threat Encyclopedia>Search Search Security IntelligenceSecurity NewsBusiness SecurityHome & Office SecurityCurrent Threat ActivityThreat Intelligence CenterDeep WebTargeted Attacks Enterprise Security Securing ICS

It is then registered as a Browser Helper Object... WE COUNT ON YOU ! %Email address% Greetings, World War Veterans. AUTOSTART.BAT, in turn, drops the following copies of itself: C:\suPs\YYYBP.BAT C:\Autorun.bak C:\Windows\Startm~1\Programs\StartUp\CNIAD.BAT C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NTFS.BAT It also drops a text file, C:\WTC.TXT, which contains the following string: You Are Attachment: WTC32.DLL This file contains the following text: Users In Harmony With God !

Click here to join today! To check if the malware process has been terminated, close Task Manager, and then open it again. Product support Internet safetyfor kids and families The 6 big dangers Be-smart school programmes Internet safety library What's Your Story contest All topics For Business >Small Business2-100 users Popular products: Deleting Grayware File/Link Right-click Start then click Search...

It assigns the suPs folder as drive L:. All rights reserved. IRAQ SURRENDERS !? Running Trend Micro Antivirus Scan your system with Trend Micro antivirus and delete all files detected as WORM_VOTE.K.

where is a number of infected e-mails that the worm sent. this contact form Open Registry Editor. WORLD WAR SCENES FROM IRAQ ! Hosted Email Security HES, protects all devices, Windows, Mac, Mobile) Services Edition (Hosted by Trend Micro, protects all devices, inc.

Open System Configuration Editor. The first window contains the Barrio trojan, which the worms attempt to download. WORLD TRADE CENTER, REVENGE ! have a peek here For Home For Business For Partners Labs Home News News From the Labs Incidents Calendar Tools & Beta Tools & Beta Flashback Removal Database Updates Rescue CD Router Checker iOS Check

DIAL_PORNAF.415 ...able to terminate the grayware process as described in the previous procedure, restart your system. Analysis by: Mark Vincent Yason

SOLUTION Minimum scan engine version needed:5.600 Pattern file needed:1.631.36 Pattern release date:Sep 10, 2003 Important note: The "Minimum scan engine" refers to the earliest This file contains the following text: You Are A Victim Of The WTC Worm !

Protection has been included in virus definitions for Intelligent Updater and LiveUpdate since September 26, 2001.

DIAL_PORNAF.139 ...able to terminate the grayware process as described in the previous procedure, restart your system. During a period of increased activity, it is strongly recommended that administrators employ all e-mail security measures to prevent infections and the distribution of viruses. Removing Autostart Entries from the Registry Removing autostart entries from registry prevents the malware from executing during startup. This E-mail was requested by <Plug-In_EXT.dll entry for target machine> Attachment: C:\USA.VS.IRAQ.PEACE.scr C:\Plug-In_EXT.dll Note: %Email address% is the email address of the recipient while %s% can be any of the following

Also, please restore the system from backup or perform a reinstallation. or Find..., depending on the version of Windows you are running. REMEMBER OUR LOST SOULS ! Check This Out Join our site today to ask your question.

THE WORLD WAR THREE IS HERE ! The file dalal.vbs is identical to zacker.vbs. TrendMicro detects these malicious .HTML files as HTML_VOTE.K. The files zacker.vbs and dalal.vbs attempt to delete all of the files in the \%Windows% folder.

You're welcome! Example: If the name of the file is README.TXT, this is deleted and a copy of the malware file named README.TXT.HTM is created to replace the deleted file. To do this, Trend Micro customers must download the latest pattern file and scan their system. The worm creates this folder but fails to save any files there.

REMEMBER OUR LOST SOULS ! Advertisements do not imply our endorsement of that product or service. Quick Links Glossary of Terms Help Tell us what you think of the Threat Encyclopedia! WORLD TRADE CENTER, REVENGE ! WE COUNT ON YOU ! %Email address% Greetings, World War II Veterans.

However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. The second browser attempts to connect to the author's site. It drops several copies of itself in the default ICQ shared folder: C:\Program Files\ICQ\shared files The dropped copies may have any of the following file names: Matrix-Reloaded-<random number> .mpg.scr Terminator-3-<random number>.avi.scr PS- See Attachments For War Scenes.

Email Propagation This worm uses Microsoft Outlook to send copies of itself to all recipients found in the system's Outlook address book. Where to BuyDownloadsPartnersAustraliaAbout UsLog InWhere to Buy Trend Micro ProductsFor HomeBuy/Renew OnlineFind RetailerContact Us1300 305 289(M-F 6:00am-11:00pm Sydney Time)For Small BusinessSmall Business Online StoreFind a ResellerContact Us1800 653 870 For EnterpriseFind For additional information about this threat, see: Description created:Sep. 10, 2003 6:03:26 AM GMT -0800

TECHNICAL DETAILS Size of malware:2,416 Bytes Initial samples received on:Sep 10, 2003 Related to:WORM_VOTE.K Clicking the link executes one of its dropped copy, C:\NT-HELP.COM.

This trend in launching attacks through a social engineering tool is likely to continue as events develop and attract the attention of hacktivists and virus writers wanting to exploit a user's Thread Status: Not open for further replies. WORLD TRADE CENTER, REVENGE ! It arrives as an attachment in an email message with following details: Subject: %Email address%. %s% THE WAR HAS STARTED!