Content

W32/Waledac

Type
Virus
SubType
Win32
Discovery Date
12/26/2008
Length
Varies
Minimum DAT
5475 (12/26/2008)
Updated DAT
5794 (11/06/2009)
Minimum Engine
5.2.00
Description Added
12/26/2008
Description Modified
12/26/2008 5:13 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Note: Detection for this threat is available as Generic.dx from DAT version 5475. This threat will be detected as W32/Waledec from DAT version 5478.

A spammed message containing an attachment "ecard.exe" arrives with the following subject lines:

  • Free christmas Ecards
  • Christmas card from a friend
  • Merry Xmas!

Given below is a screenshot of the website currently hosting this malware:

When the malicious file "ecard.exe" is executed, it creates the following registry entry to ensure its execution at system startup:

  • Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run\"PromoReg" = "[Path to malicious file]"

Apart from this, it also creates the following registry entries:

  • Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\"RList"
  • Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\"MyID"

The data for the above registry keys are filled with hexadecimal values. This could probably be used as an infection marker.

The worm then searches for email addresses on the infected machine, and while doing so, excludes searching inside files with the following extensions:

  • .avi
  • .mov
  • .wmv
  • .mp3
  • .wave
  • .wav
  • .wma
  • .ogg
  • .vob
  • .jpg
  • .jpeg
  • .gif
  • .bmp
  • .exe
  • .dll
  • .ocx
  • .class
  • .msi
  • .zip
  • .7z
  • .rar
  • .jar
  • .gz
  • .hxw
  • .hxh
  • .hxn
  • .hxd

It then connects to any of the following IP addresses:

  • 24.116.119.157
  • 24.209.2.161
  • 24.222.92.246
  • 24.24.186.141
  • 24.82.3.140
  • 60.218.245.51
  • 60.31.94.54
  • 61.102.212.18
  • 61.238.16.83
  • 64.184.89.202
  • 68.41.238.247
  • 68.91.129.102
  • 69.37.168.16
  • 70.61.170.203
  • 71.121.79.208
  • 72.177.194.167
  • 72.24.203.145
  • 72.241.49.144
  • 72.38.168.67
  • 76.124.149.22
  • 76.25.195.117
  • 76.89.100.221
  • 76.9.39.158
  • 77.109.39.105
  • 77.252.98.96
  • 77.29.194.238
  • 77.65.140.248
  • 77.81.248.158
  • 80.117.119.193
  • 80.183.57.117
  • 80.232.245.52
  • 80.66.240.179
  • 81.111.41.240
  • 81.172.96.184
  • 81.18.72.138
  • 81.184.102.33
  • 81.31.183.214
  • 81.31.167.5
  • 81.84.31.144
  • 82.154.44.107
  • 82.233.183.147
  • 82.56.63.197
  • 82.61.43.115
  • 82.78.142.146
  • 83.131.228.111
  • 83.132.209.172
  • 83.191.233.15
  • 83.31.140.66
  • 84.109.6.14
  • 84.122.132.201
  • 84.125.99.94
  • 84.16.228.132
  • 84.228.137.182
  • 84.237.134.103
  • 84.26.190.246
  • 84.3.93.129
  • 85.130.30.117
  • 85.130.29.52
  • 85.133.206.120
  • 85.152.62.104
  • 85.185.119.42
  • 85.196.183.244
  • 85.201.43.175
  • 85.232.254.214
  • 85.255.109.83
  • 85.64.79.166
  • 86.100.217.214
  • 86.107.149.138
  • 86.126.37.96
  • 86.126.20.9
  • 86.4.67.129
  • 86.66.131.160
  • 87.110.51.157
  • 87.16.10.84
  • 87.5.40.197
  • 87.67.94.212
  • 87.69.83.37
  • 87.69.73.78
  • 87.97.40.218
  • 88.148.101.139
  • 88.160.7.118
  • 88.222.201.105
  • 89.1.27.149
  • 89.138.89.17
  • 89.141.52.164
  • 89.160.77.132
  • 89.165.120.134
  • 89.165.68.177
  • 89.165.78.95
  • 89.39.168.174
  • 89.45.136.200
  • 89.74.204.108
  • 89.75.11.4
  • 89.77.53.132
  • 92.112.248.195
  • 92.249.152.117
  • 93.126.72.83
  • 93.172.160.70
  • 93.177.144.51
  • 98.197.170.70
  • 98.221.243.14
  • 99.144.153.58
  • 99.236.47.238
  • 99.244.169.127
  • 116.122.25.144
  • 116.16.203.123
  • 116.254.87.118
  • 116.73.41.45
  • 116.74.181.12
  • 118.101.212.97
  • 118.39.80.191
  • 119.1.16.8
  • 119.154.9.151
  • 119.99.195.58
  • 121.243.167.55
  • 124.115.101.170
  • 124.13.227.4
  • 124.21.244.186
  • 124.79.29.116
  • 125.163.244.92
  • 125.36.151.115
  • 125.41.87.82
  • 125.45.67.194
  • 148.245.125.199
  • 151.33.215.0
  • 165.194.27.11
  • 189.41.17.132
  • 189.41.30.130
  • 189.42.164.145
  • 194.120.84.9
  • 199.203.64.235
  • 200.120.152.186
  • 200.125.92.244
  • 200.165.243.185
  • 200.55.160.124
  • 200.82.185.119
  • 201.212.68.161
  • 201.216.3.229
  • 201.231.145.111
  • 201.27.196.253
  • 201.79.228.217
  • 209.83.88.3
  • 209.87.251.55
  • 210.119.19.61
  • 212.69.49.12
  • 213.66.99.225
  • 217.129.86.162
  • 217.26.165.146
  • 220.224.231.73
  • 221.223.130.74

and sends the collected information in an encrypted format using a HTTP POST command. The information is sent using a random file name with the extension ".php", ".png" or ".htm".

 

Symptoms

  • Presence of files and registry entries mentioned earlier
  • Increase in network traffic due to information being uploaded & downloaded
  • Software based firewall should alert about a program attempting to connect to the internet

 

Method of Infection

This worm is delivered via a spammed email message with the following contents:

Subject:

 

The subject line could be any of the following:

  • Merry Christmas greetings for you
  • You have received an Ecard
  • A Christmas card from a friend
  • Happy Xmas !

Body:

Daniel just mailed you an online greeting card. Here's your greeting card:

  • justchristmasgift.com
  • directchristmasgift.com
  • livechristmasgift.com
  • yourdecember.com

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This description is for a worm that is delivered via a spammed email message or via a link to a malicious website.

The characteristics of this worm, with regard to file names, folders created etc, will differ from one variant to another. Hence, this is a general description.

Aliases

  • Trojan.Spambot.4202 [Dr Web]
  • Trojan.Waledac.B [BitDefender]
  • Trojan:Win32/Waledac.A [Microsoft]
  • W32.Waledac [Symantec]
  • W32/IRCbot-ZG [Sophos]
  • Win32/Waledac.D [Eset Nod32]

Characteristics

Characteristics -

Note: Detection for this threat is available as Generic.dx from DAT version 5475. This threat will be detected as W32/Waledec from DAT version 5478.

A spammed message containing an attachment "ecard.exe" arrives with the following subject lines:

  • Free christmas Ecards
  • Christmas card from a friend
  • Merry Xmas!

Given below is a screenshot of the website currently hosting this malware:

When the malicious file "ecard.exe" is executed, it creates the following registry entry to ensure its execution at system startup:

  • Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run\"PromoReg" = "[Path to malicious file]"

Apart from this, it also creates the following registry entries:

  • Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\"RList"
  • Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\"MyID"

The data for the above registry keys are filled with hexadecimal values. This could probably be used as an infection marker.

The worm then searches for email addresses on the infected machine, and while doing so, excludes searching inside files with the following extensions:

  • .avi
  • .mov
  • .wmv
  • .mp3
  • .wave
  • .wav
  • .wma
  • .ogg
  • .vob
  • .jpg
  • .jpeg
  • .gif
  • .bmp
  • .exe
  • .dll
  • .ocx
  • .class
  • .msi
  • .zip
  • .7z
  • .rar
  • .jar
  • .gz
  • .hxw
  • .hxh
  • .hxn
  • .hxd

It then connects to any of the following IP addresses:

  • 24.116.119.157
  • 24.209.2.161
  • 24.222.92.246
  • 24.24.186.141
  • 24.82.3.140
  • 60.218.245.51
  • 60.31.94.54
  • 61.102.212.18
  • 61.238.16.83
  • 64.184.89.202
  • 68.41.238.247
  • 68.91.129.102
  • 69.37.168.16
  • 70.61.170.203
  • 71.121.79.208
  • 72.177.194.167
  • 72.24.203.145
  • 72.241.49.144
  • 72.38.168.67
  • 76.124.149.22
  • 76.25.195.117
  • 76.89.100.221
  • 76.9.39.158
  • 77.109.39.105
  • 77.252.98.96
  • 77.29.194.238
  • 77.65.140.248
  • 77.81.248.158
  • 80.117.119.193
  • 80.183.57.117
  • 80.232.245.52
  • 80.66.240.179
  • 81.111.41.240
  • 81.172.96.184
  • 81.18.72.138
  • 81.184.102.33
  • 81.31.183.214
  • 81.31.167.5
  • 81.84.31.144
  • 82.154.44.107
  • 82.233.183.147
  • 82.56.63.197
  • 82.61.43.115
  • 82.78.142.146
  • 83.131.228.111
  • 83.132.209.172
  • 83.191.233.15
  • 83.31.140.66
  • 84.109.6.14
  • 84.122.132.201
  • 84.125.99.94
  • 84.16.228.132
  • 84.228.137.182
  • 84.237.134.103
  • 84.26.190.246
  • 84.3.93.129
  • 85.130.30.117
  • 85.130.29.52
  • 85.133.206.120
  • 85.152.62.104
  • 85.185.119.42
  • 85.196.183.244
  • 85.201.43.175
  • 85.232.254.214
  • 85.255.109.83
  • 85.64.79.166
  • 86.100.217.214
  • 86.107.149.138
  • 86.126.37.96
  • 86.126.20.9
  • 86.4.67.129
  • 86.66.131.160
  • 87.110.51.157
  • 87.16.10.84
  • 87.5.40.197
  • 87.67.94.212
  • 87.69.83.37
  • 87.69.73.78
  • 87.97.40.218
  • 88.148.101.139
  • 88.160.7.118
  • 88.222.201.105
  • 89.1.27.149
  • 89.138.89.17
  • 89.141.52.164
  • 89.160.77.132
  • 89.165.120.134
  • 89.165.68.177
  • 89.165.78.95
  • 89.39.168.174
  • 89.45.136.200
  • 89.74.204.108
  • 89.75.11.4
  • 89.77.53.132
  • 92.112.248.195
  • 92.249.152.117
  • 93.126.72.83
  • 93.172.160.70
  • 93.177.144.51
  • 98.197.170.70
  • 98.221.243.14
  • 99.144.153.58
  • 99.236.47.238
  • 99.244.169.127
  • 116.122.25.144
  • 116.16.203.123
  • 116.254.87.118
  • 116.73.41.45
  • 116.74.181.12
  • 118.101.212.97
  • 118.39.80.191
  • 119.1.16.8
  • 119.154.9.151
  • 119.99.195.58
  • 121.243.167.55
  • 124.115.101.170
  • 124.13.227.4
  • 124.21.244.186
  • 124.79.29.116
  • 125.163.244.92
  • 125.36.151.115
  • 125.41.87.82
  • 125.45.67.194
  • 148.245.125.199
  • 151.33.215.0
  • 165.194.27.11
  • 189.41.17.132
  • 189.41.30.130
  • 189.42.164.145
  • 194.120.84.9
  • 199.203.64.235
  • 200.120.152.186
  • 200.125.92.244
  • 200.165.243.185
  • 200.55.160.124
  • 200.82.185.119
  • 201.212.68.161
  • 201.216.3.229
  • 201.231.145.111
  • 201.27.196.253
  • 201.79.228.217
  • 209.83.88.3
  • 209.87.251.55
  • 210.119.19.61
  • 212.69.49.12
  • 213.66.99.225
  • 217.129.86.162
  • 217.26.165.146
  • 220.224.231.73
  • 221.223.130.74

and sends the collected information in an encrypted format using a HTTP POST command. The information is sent using a random file name with the extension ".php", ".png" or ".htm".

 

Symptoms

Symptoms -

  • Presence of files and registry entries mentioned earlier
  • Increase in network traffic due to information being uploaded & downloaded
  • Software based firewall should alert about a program attempting to connect to the internet

 

Method of Infection

Method of Infection -

This worm is delivered via a spammed email message with the following contents:

Subject:

 

The subject line could be any of the following:

  • Merry Christmas greetings for you
  • You have received an Ecard
  • A Christmas card from a friend
  • Happy Xmas !

Body:

Daniel just mailed you an online greeting card. Here's your greeting card:

  • justchristmasgift.com
  • directchristmasgift.com
  • livechristmasgift.com
  • yourdecember.com

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A