W32.Vote - Destructive Worm

[2ffat]

This potentially destructive worm arrives with the subject "Fwd: Peace BeTween AmeriCa And IsLam !", the message body of "Hi! iS iT A waR Against AmeriCa Or IsLam! Let's Vote To Live in Peace!", and an attachment named WTC.EXE. If executed, the attachment attempts to mail itself to evey address in Outlook , creates saves two VBS programs, sets the homepage to us.f1.yahoofs.com, which then downloads a password stealing trojan named Troj/Barrio.

One VBS will attempt to overwrite all .HMT and .HTML with "AmeRiCa...Few Days WiLL Show You What We Can Do !!! It's Out Turn >>> ZaCkEr is So Sorry For You", attempt to delete commom antivirus directories, and change the registry to enable the script to be run at bootup.

The other VBS will attempt to delete all files in the Windows directory and add "echo y | format C:" to the autoexec.bat file. This may cause the hard drive to be reformatted at the next boot.

Several AV vendors have put out identities for the worm and the trojan horse. For more info see:

http://www.zdnet.com/zdnn/stories/news/0,4586,5097375,00.html

and news.cnet.com/news/0-1003-200-7285953.html?tag=dd.ne.dtx.nl-hed.0 as well as you AV vendor for more details.
James P. Cottingham

I am the Unknown lead by the Unknowing.
I have done so much with so little
for so long that I am now qualified
to do anything with nothing.

 

[Zelandakh]

James,

Norton covers this virus in its definitions as of yesterday. Anyone running detection software on their mail servers that bins vbs attachments will be covered anyway.

It is not a pretty virus as it deletes a file then tries to call it.

Hmm. Microsoft programmer at work?

Nick