W32/Voterai.worm.f

W32/Voterai.worm.f is a particularly damaging worm related to elections campaign in Kenya. When started the malware will proceed in turning the user machine in to a complete zombie machine. In fact, it will disable almost every security software that may be installed on the machine, and modify the system registry to disable almost any operation that user may perform, like, for example, rebooting the machine using the start menu, executing the task manager, accessing the control panel and more.

As soon as these operations have been performed, the malware will create the following folders on the root of C: drive and also including any mapped drives:

• C:\My Docs
• C:\Vista

The following files which are a copy of this worm are created in the folders listed above:

• My Cv.exe
• game.exe

This worm also copies itself under different folders all around the computer, and especially under:

• Document and Settings\All Users\Documents\Music.exe
• Documents and Settings\All Users\Start Menu\Programs\Startup\defaults.pif
• %WINDIR%\Debug\explorer.exe
• % WINDIR%\Installer\winlogon.exe
• % WINDIR%\Installer\SMSS.exe
• %SYSDIR%\DLLCACHE\LSASS.EXE
• %SYSDIR%\DLLCACHE\userinit.exe

The following registry keys are created:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit" = C:\WINDOWS\System32\userinit.exe, C:\WINDOWS\installer\winlogon.exe
• HKEY_CLASSES_ROOT\Folder\shell\Kibaki "(Default)" = &Emilio Mwai Kibaki
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "HideClock" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoControlPanel" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDrives" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFind" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFolderOptions" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoRun" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableCMD" = 1
• HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System "DisableCMD" = 1
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoControlPanel" = 1
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoFolderOptions" = 1
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoRun" = 1

A file KIB.HTM is created on the root of all drives.  This file runs and displays the following message if an attempt is made to run TaskManager, or open the Registry Editor (Regedit.exe).  

Additionaly the following registry key is also created so that the browser Home Page is the same image as above.

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" = C:\kib.htm

In addition to this, the malware is able to spread using autorun techniques. Also note that the malware is designed to start even in safe boot mode.

The malware needs manual activation in order to start its malicious activities. However, it uses social engineering techniques combined with worm capabilities to trick the user into activating it.

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations