--- Update June 02, 2003 ---
AVERT have received 2 more variants of this worm - W32/Vote.d@MM (detected proactively as "New Worm") and W32/Vote.e@MM (proactively detected as W32/GenericP2P.worm
--- Update September 25, 2001 ---
AVERT has received very few customer samples of this threat.
This mass-mailing worm is detected heuristically, with program heuristics turned on, as New Backdoor with the 4100 (or newer) DAT files. Full non-heuristic detection was included in the 4163 DATs.
W32/Vote@MM is a mass-mailing worm which can delete system files. It arrives with an email message containing the following information:
Subject: Fwd:Peace BeTweeN AmeriCa And IsLaM !
iS iT A waR Against AmeriCa Or IsLaM !?
Let's Vote To Live in Peace!
When the attachment is run, two VBScript files are created, MixDaLaL.vbs and ZaCker.vbs. MixDaLaL.vbs is saved to the WINDOWS directory and run immediately. It overwrites all .HTM and .HTML files on all fixed and network drives with the text:
AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You .
The hidden file attribute is also set on these files.
ZaCker.vbs is created in the WINDOWS SYSTEM directory and a registry key is created to run this file at startup:
ZaCker.vbs contains instructions to delete all files in the WINDOWS directory, add a FORMAT C: command to the AUTOEXEC.BAT file (this action fails), display a message box containing the text "I promiss We WiLL Rule The World Again...By The Way,You Are Captured By ZaCker !!!", and exit Windows (this fails as well).
The main executable attempts to delete anti-virus software from specific directories. It also tried to download a trojan from a YAHOO users site, which is detected as PWS-CT with the 4088 DATs and greater.