A new worm that can delete files from infected hard drives is using the terrorist attacks of two weeks ago, as well as the expected U.S. military response, to trick users into executing it, according to Ian Hameroff, business manager for security solutions at Computer Associates International Inc (CA). Exact details of how the worm works, however, are not yet clear as different security companies have different analyses.
The worm, dubbed “Vote” by CA due to its message, is a mass mailer which sends itself to e-mail addresses harvested from the Windows address book of infected systems, Hameroff said. However, along with sending large amounts of e-mail, the worm also overwrites HTML (hypertext markup language) files on the infected computer and can delete the system’s Windows directory and reformat the hard drive when the machine is restarted, he said.
Vote arrives in an in-box with the subject line “Peace between America and Islam,” Hameroff said. The body text of the e-mail reads “Hi. Is it a war against America or Islam? Let’s vote to live in peace.” Included in the e-mail is an attached document called WTC.exe, Hameroff said. When the attachment is double-clicked, the computer is infected.
Once the infection has occurred, all HTML files on the system are changed to include the text “America a few days we will show you what we can do. It’s our turn. Zacker is sorry for you,” Hameroff said. Additionally, Vote attempts to delete all the files in the system’s Windows directory if the infected system is rebooted, he said.
Antivirus firm Trend Micro Inc. has also seen the Vote worm, but has seen it act differently, according to a spokeswoman. Vote is a Visual Basic script (VBS) that deletes some files used by anti-virus programs and changes the start-up page for Internet Explorer, according to Trend. Trend’s details are still sketchy, though it also has found the feature of reformatting the hard drive on reboot, which it attributes to a modification of the Autoexec.bat file in DOS.
Vote is seen as a low-risk worm by Network Associates Inc. – which owns the McAfee group of anti-virus companies and products – according to Vincent Gullotto, senior director of McAfee’s AVERT labs. McAfee has only seen a handful of cases of the worm, all isolated to North America, he said. There have been no confirmed infections of the virus so far seen by McAfee, he added.
Vote is “clearly a message that’s trying to prey on people,” he said, adding that “it might have some success” given recent events and the possibility that users will confuse it with a benign PowerPoint presentation about New York that’s making the rounds. Though McAfee products have been able to detect the worm via heuristics for a while, the company will also release an update to block it soon, he said. When antivirus programs are run in heuristics mode, they can block code that shares characteristics with malicious code, even if the antivirus program does not have a specific definition for the code it’s blocking.
Whether the worm takes hold and infects many PCs will depend on home users, as corporate networks are likely well protected against infection, he said.
Vote is not yet widespread, though it only began showing up Monday morning, CA’s Hameroff said. Infections by the virus can be prevented if users do not open attachments or if companies filter .exe attachments so that they are not allowed into the corporate network.
“If any company is allowing executable files past their servers and into their environment, this is a key time to reevaluate that policy,” Hameroff said.
CA does not yet have an update to its my-eTrust.com antivirus service to fight Vote, but expects to post one later today, he said.
Computer Associates, based in Islandia, N.Y., can be reached at http://www.ca.com/.