'Vote' worm uses terror attacks to delete files

A new worm that can delete files from infected hard drives is using the terrorist attacks of two weeks ago, as well as the expected U.S. military response, to trick users into executing it, according to Ian Hameroff, business manager for security solutions at Computer Associates International Inc. (CA). Exact details of how the worm works, however, are not yet clear as different security companies have different analyses.

The worm, dubbed "Vote" by CA due to its message, is a mass mailer which sends itself to e-mail addresses harvested from the Windows address book of infected systems, Hameroff said. However, along with sending large amounts of e-mail, the worm also overwrites HTML (hypertext markup language) files on the infected computer and can delete the system's Windows directory and reformat the hard drive when the machine is restarted, he said.

Vote arrives in an in-box with the subject line "Peace between America and Islam," Hameroff said. The body text of the e-mail reads "Hi. Is it a war against America or Islam? Let's vote to live in peace." Included in the e-mail is an attached document called WTC.exe, Hameroff said. When the attachment is double-clicked, the computer is infected.

Once the infection has occurred, all HTML files on the system are changed to include the text "America a few days we will show you what we can do. It's our turn. Zacker is sorry for you," Hameroff said. Additionally, Vote attempts to delete all the files in the system's Windows directory if the infected system is rebooted, he said.

Antivirus firm Trend Micro Inc. has also seen the Vote worm, but has seen it act differently, according to a spokeswoman. Vote is a Visual Basic script (VBS) that deletes some files used by antivirus programs and changes the start-up page for Internet Explorer, according to Trend. Trend's details are still sketchy, though it also has found the feature of reformatting the hard drive on reboot, which it attributes to a modification of the Autoexec.bat file in DOS.

Vote is seen as a low-risk worm by Network Associates Inc. -- which owns the McAfee group of antivirus companies and products -- according to Vincent Gullotto, senior director of McAfee's AVERT labs. McAfee has only seen a handful of cases of the worm, all isolated to North America, he said. There have been no confirmed infections of the virus so far seen by McAfee, he added.

Vote is "clearly a message that's trying to prey on people," he said, adding that "it might have some success" given recent events and the possibility that users will confuse it with a benign PowerPoint presentation about New York that's making the rounds. Though McAfee products have been able to detect the worm via heuristics for a while, the company will also release an update to block it soon, he said. When antivirus programs are run in heuristics mode, they can block code that shares characteristics with malicious code, even if the antivirus program does not have a specific definition for the code it's blocking.

Whether the worm takes hold and infects many PCs will depend on home users, as corporate networks are likely well-protected against infection, he said.

Vote is not yet widespread, though it only began showing up Monday morning, CA's Hameroff said. Infections by the virus can be prevented if users do not open attachments or if companies filter .exe attachments so that they are not allowed into the corporate network.

"If any company is allowing executable files past their servers and into their environment, this is a key time to reevaluate that policy," Hameroff said.

CA does not yet have an update to its my-eTrust.com antivirus service to fight Vote, but expects to post one later today, he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Sam Costello

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?