W32/Voterai.worm.f

This page shows details and results of our analysis on the malware W32/Voterai.worm.f

Overview

W32/Voterai.worm.f is a destructive worm designed to perform a dubious political campaign for Kenya elections.

It disables many system settings including the Registry and Task Manager.


Minimum DAT

5179 (2007-12-06)

Updated DAT

5179 (2007-12-06)

Minimum Engine

5400.1158

File Length

95,918 bytes

Description Added

2007-12-06

Description Modified

2007-12-13

Malware Proliferation

Characteristics

W32/Voterai.worm.f is a particularly damaging worm related to elections campaign in Kenya. When started the malware will proceed in turning the user machine in to a complete zombie machine. In fact, it will disable almost every security software that may be installed on the machine, and modify the system registry to disable almost any operation that user may perform, like, for example, rebooting the machine using the start menu, executing the task manager, accessing the control panel and more.

 

As soon as these operations have been performed, the malware will create the following folders on the root of C: drive and also including any mapped drives:

  • C:\My Docs
  • C:\Vista

The following files which are a copy of this worm are created in the folders listed above:

  • My Cv.exe
  • game.exe

This worm also copies itself under different folders all around the computer, and especially under:

  • Document and Settings\All Users\Documents\Music.exe
  • Documents and Settings\All Users\Start Menu\Programs\Startup\defaults.pif
  • %WINDIR%\Debug\explorer.exe
  • % WINDIR%\Installer\winlogon.exe
  • % WINDIR%\Installer\SMSS.exe
  • %SYSDIR%\DLLCACHE\LSASS.EXE
  • %SYSDIR%\DLLCACHE\userinit.exe

 

The following registry keys are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit" = C:\WINDOWS\System32\userinit.exe, C:\WINDOWS\installer\winlogon.exe
  • HKEY_CLASSES_ROOT\Folder\shell\Kibaki "(Default)" = &Emilio Mwai Kibaki
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "HideClock" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoControlPanel" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDrives" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFind" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFolderOptions" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoRun" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableCMD" = 1
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System "DisableCMD" = 1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoControlPanel" = 1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoFolderOptions" = 1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoRun" = 1

 

A file KIB.HTM is created on the root of all drives.  This file runs and displays the following message if an attempt is made to run TaskManager, or open the Registry Editor (Regedit.exe).  

 

 

Additionaly the following registry key is also created so that the browser Home Page is the same image as above.

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" = C:\kib.htm

In addition to this, the malware is able to spread using autorun techniques. Also note that the malware is designed to start even in safe boot mode.

Symptoms

  • The infected machine is completely unusable
  • Inability to shut down the computer using the start menu
  • Propaganda messages popping up
  • Method of Infection

    The malware needs manual activation in order to start its malicious activities. However, it uses social engineering techniques combined with worm capabilities to trick the user into activating it.

    Removal

    All Users:
    Use specified engine and DAT files for detection and removal.

    Additional Windows ME/XP removal considerations

    Variants