Here is some data on it:
W32.Vote.A@mm is a mass-mailing worm that is written in Visual Basic. When
executed, it will email itself out to all email addresses in the Microsoft
Outlook address book. The worm will insert two .vbs files on the system,
and
it will also attempt to delete files from several antivirus products.
W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic language.
It requires the file Msvbvm50.dll to execute.
When executed, the worm will attempt to email itself to all contacts in the
Microsoft Outlook address book. The email will appear as follows.
Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM!
Message:
Hi
iS iT A waR Against AmeriCa Or IsLaM !?
Let's Vote To Live in Peace!
Attachment: WTC.EXE
Next, the worm will insert two .vbs files on the system:
\<Windows folder>\ZaCker.vbs
\<Windows\System folder>\MixDaLaL.vbs
In addition, the worm will attempt to download and execute a file. This
file
is detected as Backdoor.Trojan by Norton Antivirus.
Finally, the worm will attempt to delete all files from several folders.
These folders appear to be the default installation folders for several
antivirus products. For Norton AntiVirus, this worm will only attempt to
delete the files if Norton Antivirus is located in C:\Program Files\Norton
AntiVirus.
Regards,
Jeffrey B. Korte,
Information and Physical Security Manager
FirstConsumers National Bank
Voice: 503.520.8398
Fax: 503.520.7941
Pager: 503.921.3105
The information contained in this E-mail message may be privileged,
confidential and protected from disclosure. If you are not the intended
recipient, any dissemination, distribution or copying is strictly
prohibited. If you think you have received this E-mail message in error,
please E-mail the sender at jeffrey_korte@private
EKornber@private
Sent by: To: crime@private
owner-crime@/var/spool/majordomo/l cc:
ists/crime Subject: FW: *** Channel Flash - Virus Alert ***
09/25/01 09:18 AM
Did everyone see this?
-----Original Message-----
From: Channel-Partner [mailto:channel-partner@private]
Sent: Monday, September 24, 2001 6:28 PM
To: Channel-Partner@private
Subject: *** Channel Flash - Virus Alert ***
Channel Flash
<http://ca.com/mkt_img/email_blast_common/header_channelflash.gif>
Monday, Sept. 24, 2001 - CA eTrust Security Alert
Information on the "W32.Vote Virus
CA's eTrust global antivirus research centers have classified the "W32.Vote
Virus, a new mass mailing virus threat, as medium to high risk. Vote
arrives as an email with the subject heading: "Peace BeTweeN AmeriCa And
IsLaM! and a message body: Hi iS iT A waR Against AmeriCa Or IsLaM!? Let's
Vote to Live in Peace!" with an attachment named WTC.exe.
Upon execution the malicious attachment drops a number of text and VBS
files, attempts to overwrite html files with a specific text message, and
modifies the Windows Registry. Additionally, if the infected computer is
rebooted, the virus attempts to delete all the files in the Windows
directory.
CA issued a <http://www3.ca.com/Press/PressRelease.asp?id=1765> Virus
Alert
to all CA users about this new threat and to announce that a new signature
for eTrust InoculateIT has already been released by our eTrust global
antivirus researchers.
For More on "W32.Vote" and Access to the Latest Signature Files -
Visit <http://ca.com/virusinfo/> CA's Virus Information Center.
About CA's eTrust Security
As a leading antivirus vendor - and the #1 provider of security management
solutions - we want our Channel Partners to understand how Computer
Associates (CA) can protect businesses from these threats. This CA eTrust
Security Alert is intended to provide you with invaluable information on
the
latest security attacks on an on-going basis.
Call CA's Channel Sales Team Today!
1-800-243-9462, Option 5
_____
To contact the CA Channel Marketing Team email <mailto:ask_channel@private>
ask_channels@private You have received the CA Channel Flash because as a CA
Partner, we believe this content can help you drive your bottom line. If
you
would like us to remove your name from this mail list, please send an email
to <mailto:listserv@private> listserv@private with the
text
"SIGNOFF Channel-Partner" in the body of the email and leave the Subject
field empty.
<http://ca.com/mkt_img/email_blast_common/footer.gif>
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:26:00 PDT
