X

New worm exploits terrorist attacks

Antivirus companies warn that an e-mail message asking for peace between America and Islam actually carries an extremely malicious and destructive payload.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
See full bio
Robert Lemos
2 min read
Antivirus companies warned Monday that an e-mail message asking for peace between America and Islam actually carries an extremely malicious and destructive payload.

Known as W32.Vote and WTC.exe, the worm--if opened--wipes out the PC's system files and overwrites HTML files with the sinister-sounding message: "AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You."

"It's pretty nasty," Susan Orbuch, spokeswoman for antivirus company Trend Micro, said of the worm. "I hope that no one gets it."

Already, several people apparently have. Security software makers Symantec and Network Associates reported a handful of reports of W32.Vote infections.

"It's real," said Vincent Gullotto, director of Network Associates' antivirus emergency response team. "We have a couple of samples in from the field. We are giving it a low risk."

Last week, the FBI warned the public that virus writers might start camouflaging their malicious programs by taking advantage of the interest in the recent terrorist attacks. W32.Vote is apparently the first such virus or worm to go into circulation.

W32.Vote appears to be a sympathetic piece of chain mail. The infected e-mail carries the subject line: "Fwd: Peace BeTween AmeriCa And IsLam !" The main body of the message states: "Hi! iS iT A waR Against AmeriCa Or IsLam! Let's Vote To Live in Peace!"

If a PC user opens the attachment "wtc.exe" on a computer using Microsoft Windows 95, 98, Me or 2000, the worm executes.

When it activates, the worm first attempts to mail itself to every e-mail address stored in the Microsoft Outlook address book. Then the worm saves two Visual Basic program files onto the computer: MixDaLaL.vbs and ZaCker.vbs. The worm also tries to download and run a file that would install a backdoor to the PC for online intruders to exploit later.

The worm then executes MixDaLaL.vbs from the Windows System folder. MixDaLa scans every hard drive for files with .htm and .html extensions. When the files are found, the worm overwrites them with the aforementioned message.

The other component of the worm, ZaCker.vbs, runs after the computer is restarted. The script attempts to delete all files in the Windows directory and overwrite the file used to start up the computer with commands that attempt to format the main hard drive. Because the necessary system files are gone, the last attack fails, but the other attacks result in the PC being rendered unbootable.

Finally, before the last shutdown, the worm displays the message: "I promises We WiLL Rule The Wold Again...By The Way,You Are Captured By ZaCker !!!"

While the worm may require owners of infected PCs to reinstall their operating system, Network Associates' Gullotto said most companies should be safe.

"In the corporate space, most people block executable (programs)," he said. "You might see it in the home-user space. Everyone's emotions are pretty raw right now, so they may click on something like this."