HOME > VIRUS ALERTS


VIRUS ALERTS

Worm:Win32/waledac

Original issue date: January 16, 2009
Updated: February 10, 2009; April 17, 2009

It has been observed that a worm Win32/waledac is circulating widely. This worm arrives as attachment to email messages (The email attachment has the name ecard.exe or postcatrd.exe) spammed by another malware or a malicious user. It may be downloaded from certain remote sites.

It propagates by sending spam email messages containing links where this worm can be downloaded.

The worm opens a back door which may allow a remote attacker to perform activities ( steal information, End process, Update the worm, Download files, Send spam) on the compromised computer:

A screenshot of the spam mail is give below:

Once users click the link embedded in the spam mails, they will be redirected to a bogus e-card website.

Upon clicking the image, the user is prompted to download the file ecard.exe

It is observed recently that spam mails enticing the user to download an application that will permit them to view other people's SMS messages online. The download file uses alternating filenames, sms.exe, trial.exe, smstrap.exe, freetrial.exe and smsreader.exe.

Screenshot of a spammed email Example:

Screenshot of the malicious SMS Spy theme Web site template:

A list of fast-flux domains (listed in the reference section) are reported to be hosting these binaries.

It searches for email addresses in files found in fixed, network and RAM drives except files with certain extension names. Once executed the worm immediately starts beaconing to a seed list of IP addresses that are embedded in the executable. If the worm does not successfully connect to any of its seed IPs for ten minutes it will then attempt to grab a php file from one of the domains that is hard coded inside the binary.

It then connects to certain IP addresses to send all gathered information via HTTP POST. As a result, stolen email addresses may be used by malicious users for their purposes.

Aliases:

TROJ_GENETIK.TI [Trend], Email-Worm:W32/Waledac.A [F-Secure], Troj/Waled-C [Sophos], Trojan.Win32.Agent.yqq (Kaspersky), Win32/Waledac.A

Upon execution the Worm :

  • Creates the following registry entry
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
      Windows\CurrentVersion\Run\"PromoReg" = "[path to exe]
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\"RList" = "[hex digits]"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\"MyID" = "[hex digits]"

  • searches for email addresses in all files on both fixed and
    removable drives, except files with the following extensions: avi,mov,wmv,mp3,wave,wav,wma,ogg,vob,jpg,jpeg,gif,bmp,
    exe,dll,ocx,class,msi,zip,7z,rar,jar,gz,hxw,hxh,hxn

  • Attempts to connects to some of the IP address listed here
    and sends collected information ,in an encrypted format, with random file names and extensions php, html or png , posts this file using a HTTP POST command.

  • Downloads the latest version of the malware as an image file with jpeg extension.

In view of rapid propagation of the Waledac Worm, users are advised to implement the following countermeasures :

  • Delete files and the registry entries made by the Worm
    mentioned above
  • It has been observed that the malicious domains such as
    mentioned above are hosted by the worm mostly using
    nginx/0.6.34 web server. Consider blocking packets from
    the nginx/0.6.34 web server through Proxy or set an
    appropriate alert/rule at IDS/IPS mentioned in Shadow server org.
  • Block access to the domains mentioned here at the perimeter.
  • Install and maintain updated anti-virus software at gateway and desktop level
  • Install and maintain Desktop Firewall and block the ports which are not required
  • Exercise caution while clicking on any link embedded inside the e-mail message/Instant messages or web pages.
  • Use caution when opening attachments and accepting file transfers.
  • Use caution when clicking on links to web pages.

References

http://www.symantec.com/norton/security_response/writeup.jsp?
docid=2008-122308-1429-99&tabid=2
http://www.f-secure.com/v-descs/email-worm_w32_waledac_a.shtml
http://www.honeynet.org/node/325
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName= WORM_WALEDAC.C&VSect=T
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081231
http://securitylabs.websense.com/content/Alerts/3343.aspx
http://www.f-secure.com/weblog/archives/00001658.html

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003