[ISN] Warnings issued about new 'WTC' virus

From: InfoSec News (isnat_private)
Date: Wed Sep 26 2001 - 01:45:07 PDT

  • Next message: InfoSec News: "[ISN] Massive search reveals no secret code in web images"

    September 24, 2001
    Security experts today issued a warning about a dangerous new virus
    that is spread via e-mail and takes advantage of people's curiosity
    and interest in the recent terrorist attack against the U.S. and the
    political fallout between Muslims and non-Muslims.
    Officials at antivirus vendor Trend Micro Inc. in Cupertino, Calif.,
    said companies should be on the lookout for the "WTC.exe" virus, which
    arrives via an e-mail attachment and carries malicious code that
    reformats the recipient PC's hard drive, deletes files and attempts to
    eliminate the system's antivirus protection software.
    The virus comes almost two weeks after the Sept. 11 terrorist attacks
    against the World Trade Center (WTC) and the Pentagon and uses social
    engineering to prey on individuals' natural curiosity about the
    attacks. The subject line of the e-mail carrying the virus is known to
    read "FW: Peace between America and Islam," according to Susan Orbuch,
    a spokeswoman for Trend Micro. Likewise, the body of the message
    reads, "Hi, Is it a war against America or Islam. Lets Vote to live in
    The attacks against the Trade Center and Pentagon have been linked to
    international terrorist Osama bin Laden, who has declared a jihad, or
    Islamic holy war, against the U.S. Since then, Muslim-American
    religious leaders and other political leaders, including President
    Bush, have gone out of their way to inform people that bin Laden and
    his extremist terrorist organization don't represent the beliefs of
    Islam or of the Muslim world in general.
    So far, Trend Micro has received only spot reports of infections, said
    However, "the timely social engineering of this virus leads us to
    believe that it has a high likelihood of spreading," she said.
    "Corporations should be using content filters ... to block executables
    at the gateway so folks don't even have a chance to open these
    The name of the virus is TROJ_VOTE.A. Preliminary analysis by Trend
    Micro indicates that it was created using Visual Basic 5 and uses
    Microsoft Outlook address book to propagate. In addition to
    reformatting the user's hard drive, the virus also deletes certain AV
    files, installs a file called Zacker.vbs, modifies the Internet
    Explorer start-up page and modifies the user's autoexec.bat file to
    include a command to reformat drive C.
    Jack Danahy, senior vice president of server security at WatchGuard
    Technologies Inc. in Seattle, said the new virus is similar to the "I
    Love You" virus because it first sends a copy of itself to everybody
    in the recipient's e-mail address book.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Sep 26 2001 - 07:24:02 PDT