The W32/Vote@MM Virus Is Mostly Hype

by Bruce P. Burrell (bpb@umich.edu)
for the U-M Virus Busters (virus.busters@umich.edu)
Last Updated: 26 September, 2001

This information can be freely reproduced in any medium, as long as the information is unmodified.

First, a quick summary:

This virus mass emails itself -- mainly via Microsoft Outlook -- and purports to promote peace between the U.S. and Islam.
Since the text uses "hacker spelling", it is far less likely to be opened by most users than some other email viruses: consider e.g., W32/Sircam@MM and VBS/LoveLetter.A@MM.
Some immoral, opportunistic marketroids tried to exploit the existence of this for commercial gain.
Most antivirus companies agree that this is not a significant threat.
VirusScan users: This virus has been detected generically since 18 Oct 2000 if the Advanced heuristic detection for programs is enabled; it is detected explicitly in the 4163 drivers released in the afternoon of 26 September, 2001.

Ok, that's the short form. Read on, if you wish, while I vent my spleen:

I'd like to say that I've long considered those who write and distribute viruses to be scum -- but that would be an insult to slime molds everywhere. I have a similar loathing for lowlife marketroids -- and here we have a case where both of these execrable groups almost come into confluence.

On 24 September, 2001 -- a mere 2 weeks after the events of 11 September -- some virus writer imbecile tried to spread his (or her, I suppose) crap on the Internet by playing on the sympathies of the innocent and naive. While this technique is nothing new, the method in which it was done is particularly distasteful to this scribe. Here is the text of the email that the virus sends:

      Subject: Fwd:Peace BeTweeN AmeriCa And IsLaM !
      Body:

      Hi
      iS iT A waR Against AmeriCa Or IsLaM !?
      Let's Vote To Live in Peace!

The email comes with an attachment distastefully named WTC.EXE that, should the user be unfortunate enough to open it, will trash a good number of files and pretty much overwrite the whole computer when it us next restarted.

Now in terms of damage, this is some nasty stuff -- but things like this pretty much kill themselves pretty quickly: formatting the host computer is no way to spread far and wide, nor is using K3wL sPeeelLngz.

Usually, that would be pretty much the end of it: while there are over 58,000 viruses and other forms of malware, it's probably that no more than 1000 or so -- and surely fewer than 2000 -- have ever been "In The Wild", causing problems for real users.

As mentioned above, this one did not seem to be major candidate for making it In The Wild.

Oddly, many of the non-Wild viruses exist only in the "zoos" of antivirus vendors, who received them directly from the virus writers. This is a sad commentary on those who create this rubbish: their sole claim to fame is that some antivirus product recognizes their little piece of drivel.
I bet this attracts the girls like crazy.

NOT!

Unfortunately, some moronic marketroid decided to try to boost some sales based on the unspeakable events of 11 September and hype this as a real threat, issuing this as a press release.

Now it is fine -- in fact, I'd argue that it is the responsibility -- of antivirus companies to announce real threats as soon as possible, and to document viruses when practical e.g., on their web sites, issuing press releases about minimal threats is a Very Bad Thing. Let's see: with 56,000 non-threats out there, we can expect to see over 150 press releases a day about viruses!

Think Chicken Little
Think about the Boy Who Cried Wolf
Think about crying "Fire!" in the crowded theater.
And, directed squarely at the marketroid who thought of issuing this as a press release:
For heaven's sake, just think!

I won't embarrass the guilty here; perhaps the people who normally would have prevented such stupidity were on their way to the annual Virus Bulletin conference. But lest you think that I'm overreacting here, let's take a look at what several antivirus vendors say:

The vendor whose product is site licensed at U-M, Network Associates, (leaving our site) assign this a risk assessment of "Low."
F-Secure (leaving our site), noted for their lack of hype, say "F-Secure has not received any reports from this worm from the field. This worm is not widespread at this time. It is not likely to become widespread either."
SOPHOS (leaving our site), another antivirus company known for not pulling its punches, says: "Despite calls from alarmed customers, we do not believe this worm will become particularly widespread, because it bears all the hallmarks of an unwanted, unauthorised email"
Enough? Well, no matter what you answer, there's more!:
Symantec (Norton Antivirus) lists the threat as a 2 out of 5, with 5 being mot dangerous. They show a graphic that says that there are fewer than 50 known infections worldwide.
Norman Antivirus has a revealing URL: http://www.norman.no/virus_info/virus_hypes.shtml

That wraps it up nicely. It's mostly hype.

Unfortunately, the press release spawned a deluge of email about the pathetic thing, which has taken on a life of its own. This has caused concern that is all out of proportion: as my colleague Adam Wilkinson wrote to me, "I've probably spent more time today responding to questions about it that I ever will disinfecting it."

"So", you ask, "should the offending antivirus vendor not have done anything instead, thereby putting its customers at risk, albeit a minimal one?"

No, of course not. Instead, they should have done what the other, more responsible vendors did: they updated their products to handle the new discovery, and otherwise made no mention of it so that the virus could fade into the obscurity so obviously deserves. I suspect strongly that most vendors did not have web pages on this before the disreputable press release; at that point, of course, the only responsible thing to do was to document the thing so that clients and tech support personnnel could know what all the hubbub was about.

Please do not forward this -- or any other Chicken Little rabble rousing -- to all your friends.

Instead, you should reply to the sender -- and as far back up the email chain as you have energy -- informing the originators that this is not worth the electrons on which it is written. For this particular nonsense, I suggest that you provide a pointer to this URL (http://www.umich.edu/~virus-busters/vote_hype.html)
For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

-BPB

Last updated: Wednesday, 26-Sep-2001 12:14:04 EDT.
University of Michigan Virus Busters - virus.busters@umich.edu

visits to this page since 25 September 2001 23:29 EDT