September 24, 2001, 3:08 PM — A new worm that can delete files from infected hard drives is using the terrorist attacks of two weeks ago, as well as the expected U.S. military response, to trick users into executing it, according to Ian Hameroff, business manager for security solutions at Computer Associates International Inc (CA). Exact details of how the worm works, however, are not yet clear as different security companies have different analyses.
The worm, dubbed "Vote" by CA due to its message, is a mass mailer which sends itself to e-mail addresses harvested from the Windows address book of infected systems, Hameroff said. However, along with sending large amounts of e-mail, the worm also overwrites HTML (hypertext markup language) files on the infected computer and can delete the system's Windows directory and reformat the hard drive when the machine is restarted, he said.
Vote arrives in an in-box with the subject line "Peace between America and Islam," Hameroff said. The body text of the e-mail reads "Hi. Is it a war against America or Islam? Let's vote to live in peace." Included in the e-mail is an attached document called WTC.exe, Hameroff said. When the attachment is double-clicked, the computer is infected.
Once the infection has occurred, all HTML files on the system are changed to include the text "America a few days we will show you what we can do. It's our turn. Zacker is sorry for you," Hameroff said. Additionally, Vote attempts to delete all the files in the system's Windows directory if the infected system is rebooted, he said.
Antivirus firm Trend Micro Inc. has also seen the Vote worm, but has seen it act differently, according to a spokeswoman. Vote is a Visual Basic script (VBS) that deletes some files used by antivirus programs and changes the start-up page for Internet Explorer, according to Trend. Trend's details are still sketchy, though it also has found the feature of reformatting the hard drive on reboot, which it attributes to a modification of the Autoexec.bat file in DOS.
Vote is seen as a low-risk worm by Network Associates Inc. -- which owns the McAfee group of antivirus companies and products -- according to Vincent Gullotto, senior director of McAfee's AVERT labs. McAfee has only seen a handful of cases of the worm, all isolated to North America, he said. There have been no confirmed infections of the virus so far seen by McAfee, he added.