W32/Voterai.worm.d

This page shows details and results of our analysis on the malware W32/Voterai.worm.d

Overview

W32/Voterai.worm.d is a destructive worm designed to perform a dubious political campaign for Kenya elections.


Minimum Engine

5600.1067

File Length

100,014 bytes

Description Added

2007-11-19

Description Modified

2007-11-20

Malware Proliferation

Characteristics

W32/Voterai.worm.d is a particularly damaging worm related to elections campaign in Kenya. When started the malware will proceed in turning the user machine in a complete zombie machine. In fact, it will disable almost every security software that may be installed on the machine, and modify the system registry to disable almost any operation that user may perform, like, for example, rebooting the machine using the start menu, executing the task manager, accessing the control panel and more.

As soon as these operations have been performed, the malware will copy itself under different folders all around the computer, and especially under:

  •  %WINDIR%\Debug\explorer.exe
  • % WINDIR%\Installer\SMSS.EXE
  • %WINDIR%\Installer\Userinit.exe
  • %SYSDIR%\DLLCACHE\LSASS.EXE
  • %SYSDIR%\DLLCACHE\smss.exe

In addition to this, the malware will make sure that it will start even if the machine is rebooted, by modifying registry keys to point to the above files.

With the machine turned into a zombie, the malware will start displaying  the following message.

 

In addition to this, the malware is able to spread using autorun techniques. Also note that the malware is designed to start even in safe boot mode.

Symptoms

  • The infected machine is completely unusable
  • Inability to shut down the computer using the start menu
  • Propaganda messages popping up

Method of Infection

The malware needs manual activation in order to start its malicious activities. However, it uses social engineering techniques combined with worm capabilities to trick the user into activating it.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants