Thread Tools
Old 19-10-2001, 09:31 PM   #1   [permalink]
eva2000
Administrator
 
eva2000's Avatar
 
Join Date: 23 Jun 2000
Location: Brisbane, Australia
Posts: 12,407
Alert Oct 10, 2001 - WTC.EXE virus

Thanks to Wolfpac for warning me of this virus, i just received my first few emails with this virus attachment and luckily I have up to date anti-virus definitions and pre-screening of emails via to being downloaded.

What is this virus?
W32.Vote.gen@mm is a mass-mailing worm that is written in Visual Basic. When it is executed, it emails itself to all email addresses in the Microsoft Outlook address book. The worm inserts three .vbs files on the system. It also modifies the Internet Explorer home page. W32.Vote.gen@mm is a variant of W32.Vote.A@mm. The main difference is that it inserts three VBS scripts instead of two.

Damage:

Payload:
- Large scale e-mailing: Emails everyone in the Microsoft Outlook addressbook
- Deletes files: After reboot, the worm attempts to delete all files in the Windows folder
- Modifies files: All files with the extension "htm" or "html" will be overwritten.
- Compromises security settings: If the Backdoor.Trojan was successfully downloaded and installed, anyone could gain full access to the computer.

Distribution:

Subject of email: Fwd:PEaCe BetWeen AmeRiCa And ISLaM !
Name of attachment: WTC.EXE
Size of attachment: 56,320 bytes

Technical Description

W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic language. It requires the file Msvbvm50.dll to execute.

When executed, the worm will attempt to email itself to all contacts in the Microsoft Outlook address book. The email will appear as follows.

Quote:
Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM!

Message:
Hi
iS iT A waR Against AmeriCa Or IsLaM !?
Let's Vote To Live in Peace!
Attachment: WTC.EXE

In addition, the worm will attempt to download and execute a file. This file is detected as Backdoor.Trojan by Norton Antivirus.

Finally, the worm will attempt to delete all files from several folders. These folders appear to be the default installation folders for several antivirus products. For Norton AntiVirus, this worm will only attempt to delete the files if Norton Antivirus is located in C:\Program Files\Norton AntiVirus.

=============================
Please members update your anti-virus software and DO NOT open WTC.EXE attachments!
__________________
be afraid... Admin cap is back... !
eva2000 is offline  
Old 19-10-2001, 10:00 PM   #2   [permalink]
Drizzten
Ex Moderator V.I.P.
 
Drizzten's Avatar
 
Join Date: 21 Sep 2000
Location: Austin, TX
Posts: 13,383
Send a message via AIM to Drizzten
...or don't use Microsoft Outlook. It's a friggin' magnet for virii.

Anyone who blindly opens e-mail attachments by now hasn't been getting the hint.
__________________
Magnifisyncopathological, because other people are not your property.
Drizzten is offline  
Old 20-10-2001, 04:38 AM   #3   [permalink]
gaspacho soup
Forum Master
 
Join Date: 25 Jun 2000
Posts: 2,237
Send a message via ICQ to gaspacho soup Send a message via AIM to gaspacho soup
anyone moronic enough to open up a suspicious looking .exe file, after all this time, deserves to recieve whatever punishment the worm may have.
gaspacho soup is offline  
Old 20-10-2001, 06:09 AM   #4   [permalink]
Maguamaru
Forum Master
 
Maguamaru's Avatar
 
Join Date: 9 Jul 2000
Location: hello animeboards friends :)
Posts: 4,799
Send a message via AIM to Maguamaru Send a message via Yahoo to Maguamaru
Right, guys, NOW I'm getting worried.

Ok, I NEVER open attachments unless I've known the person who sent them for some time, and the email is written in their difinitive style... and I have to have been expecting it, too.
However, I have absolutely no virus protection software on my PC, so I'm an idiot. Is Norton Antivirus free? I don't have much money, see. If it isn't, what's the best one I can get free of charge?
__________________
90% BITCH 10% ANGEL 100% GRRL ^_^
Maguamaru is offline  
Old 21-10-2001, 10:03 PM   #5   [permalink]
Pengi_Ken-Ohki
Registered User
 
Pengi_Ken-Ohki's Avatar
 
Join Date: 23 Sep 2000
Location: 0.0
Posts: 11,640
Send a message via ICQ to Pengi_Ken-Ohki Send a message via AIM to Pengi_Ken-Ohki Send a message via Yahoo to Pengi_Ken-Ohki
Quote:
Originally posted by Drizzten
...or don't use Microsoft Outlook. It's a friggin' magnet for virii.

Anyone who blindly opens e-mail attachments by now hasn't been getting the hint.
Melissa *should* have been the first and last of this sort.. unfortunately 'I love you' came along to remind us, and then a few more since. What is really ------ up here is that they used the WTC events for it.
Pengi_Ken-Ohki is offline  
 

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


New To Site? Need Help?

All times are GMT -4. The time now is 08:34 AM.


Powered by vBulletin® Version 3.8.10
Copyright ©2000 - 2017, vBulletin Solutions, Inc.