Date: Tue, 25 Sep 2001 09:05:10 -0400 (EDT) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: "Vote Worm" Virus Alert ------------------------------------------------- VOTE WORM USES WORLD TRADE CENTER TRAGEDY AS PLOY ------------------------------------------------- I suppose it was bound to happen. Some slimeball has written a virus capitalizing on the World Trade Center disaster. Popularly known as the "Vote Worm" or the "WTC Worm", it is also known as W32/Vote@MM, TROJ_VOTE.A, WTC, and I-Worm.Vote. The Vote Worm affects PCs running all versions of Windows. It does not affect Macintosh OS or UNIX computers. The Vote Worm is a simple Visual Basic virus spread as an e-mail file attachment called "WTC.exe". It uses the World Trade Center tragedy as a ploy to get people to open the attachment. If the e-mail recipient opens the attachment, the PC on which it is opened becomes infected. The e-mail sent by the Vote Worm has the following characteristics: o From: o Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM! o Message Text: Hi iS iT A waR Against AmeriCa Or IsLaM !? Let's Vote To Live in Peace! o File Attachment: WTC.EXE The address on the e-mail's "From:" line is the address of the owner of the sending PC, and the Vote Worm mails to addresses found in the infected PC's address book, so it is likely that the apparent sender will be someone known to you. If you receive a message with the above characteristics, delete it no matter who it is from. DO NOT open the file attachment. Never open ANY unexpected file attachment! The following happen when a PC becomes infected: o The Vote Worm e-mails itself to everyone in the Microsoft Outlook or Outlook Express address book on the infected PC. o The Vote Worm attempts to install the Backdoor.Trojan on the infected PC. If successful, anyone can obtain full remote access to the infected PC. o At the next reboot, if the operating system is Windows 95, Windows 98, or Windows ME, the Vote Worm attempts to delete all files in the Windows directory on the infected PC. It may also attempt to reformat the c: drive. o All files with the extension ".htm" or ".html" will be overwritten. The replacement files all carry the message "AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You". Please see the following URLs for more detailed information: http://www.F-Secure.com/v-descs/vote.shtml http://www.symantec.com/avcenter/venc/data/w32.vote.a@mm.html http://vil.mcafee.com/dispVirus.asp?virus_k=99212& All popular anti-virus programs have the ability to recognize and deal with Vote infections, but only if your virus description database (DAT filer) is up to date. If you have an anti-virus program you should update your DAT file immediately. If you don't have an anti-virus program, we recommend highly that you obtain one AND that you keep it up to date. -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. CONTACTS: -------- Web Site: http://www.bcpl.net Administration & Policy: ispadmin@bcpl.net 410-887-6180 Sales, Renewals, Account Status: accounts@bcpl.net 410-887-4172 Technical Support (Help Desk): help@bcpl.net 410-887-3297 Usenet News Newsgroup Requests news-admin@bcpl.net 410-887-6180 E-Mail & Newsgroup Abuse Reports: abuse@bcpl.net 410-887-6180 Domain Name Service Issues: dnsadmin@bcpl.net 410-887-6180 FAX: 410-887-2091