McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Wallon (AVP)

• W32/Wallon.worm

• WORM_WALLON.A (Trend)

Characteristics

-- Update May 13, 2004 --

This worm mass-mails a hyperlink to recipients found on the local system.  It also attempts to harvest email addresses and send them to a specified address (likely for the purpose of sending SPAM at a later date). 

Email propagation
Messages sent by the worm appear as follows:

Subject: RE:
Body: http://drs.yahoo.com/%recipient's domain% / NEWS
Attachment: there is no attachment

The message body simply contains a hyperlink, which is designed to trick users into thinking that they are going to a Yahoo News site, when in fact they are redirected to a page on the www.security-warning.biz domain.

Clicking the hyperlink in the email message directs users to a site, which redirects the user to another site.  This redirection can occur multiple times, ultimately landing the user on a site that contains exploit code to install a downloader trojan, which downloads and installs the virus.

Addresses harvested from the local machine are sent to the address 1@600pics.cjb.net

The worm also navigates to a pornographic website pixpox.com.

Symptoms

The worm creates the following registry key:

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Wh" = Yes

The worm does not create any other registry keys.

Method of Infection

This worm spreads by sending a hyperlink via email to addresses harvested from the Windows Address Book (WAB).  The worm contains its own SMTP engine and uses the default SMTP server specified in the Internet Account Manager.

Sent messages attempt to trick users in to following the hyperlink, which ultimately results in an infection.  Through a series of redirected pages, the users is taken to a site that contain Internet Explorer exploit code, (this page exploits MS04-013 and is detected as Exploit-MhtRedir.gen ).  This exploit downloads a CHM file, which contains another Internet Explorer exploit (targeting MS04-004  and is detected as VBS/Psyme ), which downloads a file and overwrites the existing wmplayer.exe file.

• %ProgramFiles%\Windows Media Player\wmplayer.exe

This file downloads and installs the Wallon worm.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Wallon (AVP)

• W32/Wallon.worm

• WORM_WALLON.A (Trend)

Characteristics

Characteristics -

-- Update May 13, 2004 --

This worm mass-mails a hyperlink to recipients found on the local system.  It also attempts to harvest email addresses and send them to a specified address (likely for the purpose of sending SPAM at a later date). 

Email propagation
Messages sent by the worm appear as follows:

Subject: RE:
Body: http://drs.yahoo.com/%recipient's domain% / NEWS
Attachment: there is no attachment

The message body simply contains a hyperlink, which is designed to trick users into thinking that they are going to a Yahoo News site, when in fact they are redirected to a page on the www.security-warning.biz domain.

Clicking the hyperlink in the email message directs users to a site, which redirects the user to another site.  This redirection can occur multiple times, ultimately landing the user on a site that contains exploit code to install a downloader trojan, which downloads and installs the virus.

Addresses harvested from the local machine are sent to the address 1@600pics.cjb.net

The worm also navigates to a pornographic website pixpox.com.

Symptoms

Symptoms -

The worm creates the following registry key:

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Wh" = Yes

The worm does not create any other registry keys.

Method of Infection

Method of Infection -

This worm spreads by sending a hyperlink via email to addresses harvested from the Windows Address Book (WAB).  The worm contains its own SMTP engine and uses the default SMTP server specified in the Internet Account Manager.

Sent messages attempt to trick users in to following the hyperlink, which ultimately results in an infection.  Through a series of redirected pages, the users is taken to a site that contain Internet Explorer exploit code, (this page exploits MS04-013 and is detected as Exploit-MhtRedir.gen ).  This exploit downloads a CHM file, which contains another Internet Explorer exploit (targeting MS04-004  and is detected as VBS/Psyme ), which downloads a file and overwrites the existing wmplayer.exe file.

• %ProgramFiles%\Windows Media Player\wmplayer.exe

This file downloads and installs the Wallon worm.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A