Vote
Vote
Type Mass mailer worm
Creator
Date Discovered 2001.09.24
Place of Origin
Source Language Visual Basic
Platform MS Windows
File Type(s) .exe, .vbs
Infection Length 57,344 bytes
Reported Costs

Vote was a worm that appeared shortly after the attacks in the US on the World Trade Center and Pentagon in 2001. It exploited the recent tragedy as a social engineering tactic to spread.

Behavior

Vote arrives in an email with a subject line of "Fwd:Peace BeTweeN AmeriCa And IsLaM !". The attachment is WTC.EXE. The message body is as follows:

  Hi 
  iS iT A waR Against AmeriCa Or IsLaM !? 
  Let's Vote To Live in Peace!

When executed, the worm copies itself to the Windows directory. It creates the VBS files MixDaLaL.vbs in the Windows directory and and ZaCker.vbs in the system directory. MixDaLaL.vbs overwrites all .HTM and .HTML files on all fixed and network drives with the text "AmeRiCa …Few Days WiLL Show You What We Can Do !!! It's Our Turn »> ZaCkEr is So Sorry For You .". ZaCker.vbs is added to the local machine run key and it deletes the System directory, displays a message box containing the text "I promiss We WiLL Rule The World Again…By The Way,You Are Captured By ZaCker !!!", adds FORMAT C: to AUTOEXEC.BAT and exits Windows. It may fail to do the last two.

The main executable may try to delete antivirus software from some directories. It also overwrites .wav, .mp3, .jpg, .bmp, .zip, .rar, .doc, .scr and .exe files with a copy of itself and those that do not have an .exe or .scr extension get an .exe extension added to them. The worm opens two Internet Explorer windows. One is a fake voting booth. The other attempts to download the Barrio trojan from a Yahoo site. This trojan collects passwords and fowards them to a pre-defined e-mail address.

Vote composes its email and uses standard Windows Mail API to access the user's address book. It will send itself through any email program using the API (mostly Outlook) that uses this API to all email addresses in the address book.

Variants

Vote's family goes all the way up to Vote.K. Most are functionally similar to the original, including the fact that many coding mistakes mean they don't function the way the creator intended. Variant K appeared in September of 2003, almost exactly two years after the original. It makes the System folder a Kazaa share folder and attempts to make copies of itself there. It succedes in creating making the folder shared, but fails in copying any files there.

Effects

The worm did not become very widespread. McAfee found only a few cases isolated in North America. That company's heuristics were able to detect the worm as soon as it came out. Network associates claimed to have also found "a few".

Other Facts

In the wake of the September 11th attacks, it is likely the worm was expected to be very widespread, but its spreading ability was hampered by the fact that it destroyed the systems it took residence in. F-Secure speculates it was written by a teenager. It's most destructive functions often failed to work, even in the later variants.

Sources

McAffee Antivirus, W32/Vote.a@MM. 2001.09.25-2003,06.02

F-Secure, Email-Worm:W32/Vote.

Alexey Podrezov, Katrin Tocheva. Vote.K. 2003.09.10

John Leyden. The Register, Virus exploits fears over war on terror. 2001.09.25

Sam Costello. IDG News, PCWorld, Worm Takes Advantage of Terrorist Attacks. 2001.09.24

CNN, New 'war vote' virus exploits terror attacks. 2001.09.26

Robert Lemos. CNet News, New worm exploits terrorist attacks. 2001.09.24

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License