'Vote' worm uses terror attacks to delete files

A new worm that can delete files from infected hard drives is using the terrorist attacks of two weeks ago, as well as the expected U.S. military response, to trick users into executing it, according to Ian Hameroff, business manager for security solutions at Computer Associates International Inc. (CA). Exact details of how the worm works, however, are not yet clear as different security companies have different analyses.

The worm, dubbed "Vote" by CA due to its message, is a mass mailer which sends itself to e-mail addresses harvested from the Windows address book of infected systems, Hameroff said. However, along with sending large amounts of e-mail, the worm also overwrites HTML (hypertext markup language) files on the infected computer and can delete the system's Windows directory and reformat the hard drive when the machine is restarted, he said.

Vote arrives in an in-box with the subject line "Peace between America and Islam," Hameroff said. The body text of the e-mail reads "Hi. Is it a war against America or Islam? Let's vote to live in peace." Included in the e-mail is an attached document called WTC.exe, Hameroff said. When the attachment is double-clicked, the computer is infected.

Once the infection has occurred, all HTML files on the system are changed to include the text "America a few days we will show you what we can do. It's our turn. Zacker is sorry for you," Hameroff said. Additionally, Vote attempts to delete all the files in the system's Windows directory if the infected system is rebooted, he said.

Antivirus firm Trend Micro Inc. has also seen the Vote worm, but has seen it act differently, according to a spokeswoman. Vote is a Visual Basic script (VBS) that deletes some files used by antivirus programs and changes the start-up page for Internet Explorer, according to Trend. Trend's details are still sketchy, though it also has found the feature of reformatting the hard drive on reboot, which it attributes to a modification of the Autoexec.bat file in DOS.

Vote is seen as a low-risk worm by Network Associates Inc. -- which owns the McAfee group of antivirus companies and products -- according to Vincent Gullotto, senior director of McAfee's AVERT labs. McAfee has only seen a handful of cases of the worm, all isolated to North America, he said. There have been no confirmed infections of the virus so far seen by McAfee, he added.

Vote is "clearly a message that's trying to prey on people," he said, adding that "it might have some success" given recent events and the possibility that users will confuse it with a benign PowerPoint presentation about New York that's making the rounds. Though McAfee products have been able to detect the worm via heuristics for a while, the company will also release an update to block it soon, he said. When antivirus programs are run in heuristics mode, they can block code that shares characteristics with malicious code, even if the antivirus program does not have a specific definition for the code it's blocking.

Whether the worm takes hold and infects many PCs will depend on home users, as corporate networks are likely well-protected against infection, he said.

Vote is not yet widespread, though it only began showing up Monday morning, CA's Hameroff said. Infections by the virus can be prevented if users do not open attachments or if companies filter .exe attachments so that they are not allowed into the corporate network.

"If any company is allowing executable files past their servers and into their environment, this is a key time to reevaluate that policy," Hameroff said.

CA does not yet have an update to its my-eTrust.com antivirus service to fight Vote, but expects to post one later today, he said.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Sam Costello

Computerworld
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?