First detected in 2007, the WORM_VOTERAI family, which turned up during the presidential election season in Kenya that year, seems to be making a comeback in time for the US elections this year via WORM_VOTERAI.N. This worm, notable for dropping the following incomplete image file of Raila Odinga, has registered several infection counts in North America:
Apart from dropping the above file, this worm performs system changes to ensure its automatic execution at every system startup. It spreads via removable drives since its routines include dropping a copy of itself along with an Autorun file in all accessible drives. The copies of itself dropped in the removable drives are typically named SMSS.EXE and Ralia Odinga.exe. The dropped copies use Microsoft Word icons in a classic ploy to trick users that it is okay to open the files.
Ralia Odinga is the incumbent Prime Minister of Kenya, and although he is not directly related to the US elections in any way, there “was” news early this year about Odinga claiming to be Obama’s cousin. Obama is running for US president against John McCain.
USB-borne malware has always been the fare for Asian countries, so since this worm is proliferating mainly in North America there is room to think that this political angle (however oblique) may have contributed to its spread.
Trend Micro Smart Protection Network allows users to access the latest protection whenever and wherever they connect. Users without Trend Micro protection should make sure their removable devices are clean before plugging them in to PCs.