W32.Voterai


Aliases: Trojan.NSIS.Voter.A, Trojan.Win32.NSIS.a, W32/Voter-B, Win32/Voter.A
Variants: Worm:W32/AutoRun.BV, Worm:Win32/Voterai.C

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 19 Oct 2007
Damage: Low

Characteristics: The W32.Voterai application is a worm that propagates via removable media drives and displays an image about a presidential candidate on the compromised computer. This worm affects Windows 95, Windows 98, Windows XP, Windows Vista, Windows Me, Windows NT, Windows 2000, and Windows Server 2003.

More details about W32.Voterai

W32.Voterai can spread through removable media drives and network shares. It shows an image concerning a presidential candidate particularly Raila Odinga. It affects windows platform. Once this worm is executed, it copies itself to the \defaults.pif, \Installer\winlogon.exe, \Debug\explorer.exe, \dllcache\userinit.exe, and \dllcache\lsass.exe. The worm creates the image file that is displayed at regular interval. It further creates .htm, .pr and .inf file in the system folder as well as in windows folder. To automatically run W32/Voterai-A on startup, it changes the registry entries too. The worm then copies the autorun.inf, smss.exe, and Raila Odinga.gif files into the removable drives. It locates for removable drives on the computer and copies itself as the title of all files it searches with an ---.exe extension.

The W32.Voterai application installs on a computer stealthily. The filenames of the executable files added on the computer by this Trojan software may appear as legitimate Windows processes. This is to avoid being detected as a threat. The files added by the W32.Voterai program may be invisible on the affected computer. This is because the Trojan application has rootkit functionality. This function hides the files added by the Trojan software on the system. The W32.Voterai program is difficult to detect and remove from the computer because of this.