Trojan:W32/Waledac is capable of receiving commands from a
remote server. Commands include instructions on functions to
perform (for example, update malware components or send
information from the infected computer).
Installation
Waledac spreads in an email attachment. The name of the email
attachment is always "ecard.exe". The contents of the email
message varies and may use any of the following subject lines:
- A Christmas card from a friend
-
A special card just for you A special card just for you,
Christmas Ecard Notification Notification Christmas Ecard,
Christmas Ecard Special Delivery Special Delivery Christmas
Ecard, Christmas Wishes! Christmas Wishes!
-
Christmas card for you Christmas card for you, Christmas
greetings e-card is waiting for you Christmas greetings
e-card is waiting for you, Christmas greetings for you
Christmas greetings for you, Christmas greetings from your
friend Christmas greetings from your friend, Greeting for
you! Greeting for you!
- Happy Christmas! Happy Christmas!
-
Have a warm an lovely Christmas! Have a lovely warm an
Christmas!
- I made an Ecard for U! I made an Ecard for U!
-
I sent you the ecard I sent you the ecard .Joyful Christmas!
Joyful Christmas!
-
Merry Christmas 'N Happy New Year! Merry Christmas' N Happy
New Year!
- Merry Christmas 2009! Merry Christmas 2009!
- Merry Christmas To You! Merry Christmas To You!
-
Merry Christmas card for you! Merry Christmas card for you!
-
Merry Christmas e-card is waiting for you Merry Christmas
e-card is waiting for you, Merry Christmas greetings for you
Merry Christmas greetings for you, Merry Christmas wishes
just for you Merry Christmas wishes just for you, Merry
Christmas! Merry Christmas!
- Merry Xmas! Merry Xmas!
-
Warmest Wishes For Christmas! Warmest Wishes For Christmas!
-
Wish You A Merry Christmas! Wish You A Merry Christmas!
- Xmas card for you Xmas card for you
-
Xmas card is waiting for you Xmas card is waiting for you,
You Have An E-card Waiting For You! You Have An E-Card
Waiting For You!
- You Received an Ecard. You Received an Ecard.
-
You have a Christmas Greeting! You have a Christmas
Greeting!
-
You have a greeting card, You have a greeting card, You have
received a Christmas E-card You have received a Christmas
e-card, You have received a Christmas greetings card You
have received a Christmas card greetings, You have received
an E-card You have received an E-card, You've got a
Christmas E-card You've got a Christmas e-card, You've got a
Christmas greetings card You've got a Christmas card
greetings, You've got a Merry Christmas E-card You've got a
Merry Christmas E-card, You've got a Merry Christmas
greeting card You've got a Merry Christmas greeting card,
You've got a Xmas e-card You've got a Xmas e-card, You've
got an e-card You've got an e-card
If the user executes the worm by double-clicking on the
attachment, the worm is installed on the system, saving a copy
of itself to the Windows system registry. The worm then amends
the registry so that the copy saved on the directory is run
during every system startup.
Propagation
Once installed on the system, the worm searches through all
files on local and removable drives for email addresses. The
worm is able to search through all files EXCEPT:
- .avi
- .mov
- .wmv
- .mp3
- .wave
- .wav
- .wma
- .ogg
- .vob
- .jpg
- .jpeg
- .gif
- .bmp
- .exe
- .dll
- .ocx
- .class
- .msi
- .zip
- .7z
- .rar
- .jar
- .gz
- .hxw
- .hxh
- .hxn
- .hxd
The worm then spams copies of itself to the harvested email
addresses.
Data Stealing
Once information has been gathered, it is encrypted and
forwarded (using the extension HTM, PNG or PHP) to a remote
server.The information is randomly sent to any one of the
following IP addresses:
- 116.122.25.144
- 116.16.203.123
- 116.254.87.118
- 116.73.41.45
- 116.74.181.12
- 118.101.212.97
- 118.39.80.191
- 119.1.16.8
- 119.154.9.151
- 119.99.195.58
- 121.243.167.55
- 124.115.101.170
- 124.13.227.4
- 124.21.244.186
- 124.79.29.116
- 125.163.244.92
- 125.36.151.115
- 125.41.87.82
- 125.45.67.194
- 148.245.125.199
- 151.33.215.0
- 165.194.27.11
- 189.41.17.132
- 189.41.30.130
- 189.42.164.145
- 194.120.84.9
- 199.203.64.235
- 200.120.152.186
- 200.125.92.244
- 200.165.243.185
- 200.55.160.124
- 200.82.185.119
- 201.212.68.161
- 201.216.3.229
- 201.231.145.111
- 201.27.196.253
- 201.79.228.217
- 209.83.88.3
- 209.87.251.55
- 210.119.19.61
- 212.69.49.12
- 213.66.99.225
- 217.129.86.162
- 217.26.165.146
- 220.224.231.73
- 221.223.130.74
- 24.116.119.157
- 24.209.2.161
- 24.222.92.246
- 24.24.186.141
- 24.82.3.140
- 60.218.245.51
- 60.31.94.54
- 61.102.212.18
- 61.238.16.83
- 64.184.89.202
- 68.41.238.247
- 68.91.129.102
- 69.37.168.16
- 70.61.170.203
- 71.121.79.208
- 72.177.194.167
- 72.24.203.145
- 72.241.49.144
- 72.38.168.67
- 76.124.149.22
- 76.25.195.117
- 76.89.100.221
- 76.9.39.158
- 77.109.39.105
- 77.252.98.96
- 77.29.194.238
- 77.65.140.248
- 77.81.248.158
- 80.117.119.193
- 80.183.57.117
- 80.232.245.52
- 80.66.240.179
- 81.111.41.240
- 81.172.96.184
- 81.18.72.138
- 81.184.102.33
- 81.31.167.5
- 81.31.183.214
- 81.84.31.144
- 82.154.44.107
- 82.233.183.147
- 82.56.63.197
- 82.61.43.115
- 82.78.142.146
- 83.131.228.111
- 83.132.209.172
- 83.191.233.15
- 83.31.140.66
- 84.109.6.14
- 84.122.132.201
- 84.125.99.94
- 84.16.228.132
- 84.228.137.182
- 84.237.134.103
- 84.26.190.246
- 84.3.93.129
- 85.130.29.52
- 85.130.30.117
- 85.133.206.120
- 85.152.62.104
- 85.185.119.42
- 85.196.183.244
- 85.201.43.175
- 85.232.254.214
- 85.255.109.83
- 85.64.79.166
- 86.100.217.214
- 86.107.149.138
- 86.126.20.9
- 86.126.37.96
- 86.4.67.129
- 86.66.131.160
- 87.110.51.157
- 87.16.10.84
- 87.5.40.197
- 87.67.94.212
- 87.69.73.78
- 87.69.83.37
- 87.97.40.218
- 88.148.101.139
- 88.160.7.118
- 88.222.201.105
- 89.1.27.149
- 89.138.89.17
- 89.141.52.164
- 89.160.77.132
- 89.165.120.134
- 89.165.68.177
- 89.165.78.95
- 89.39.168.174
- 89.45.136.200
- 89.74.204.108
- 89.75.11.4
- 89.77.53.132
- 92.112.248.195
- 92.249.152.117
- 93.126.72.83
- 93.172.160.70
- 93.177.144.51
- 98.197.170.70
- 98.221.243.14
- 99.144.153.58
- 99.236.47.238
- 99.244.169.127
These IP addresses are hard-coded to Waledac.A.
Registry Modifications
Sets these values:
-
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
PromoReg = %ExecutablePath%
Creates these keys:
-
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion] RList =
%HexadecimalValue%
-
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion] MyID =
%HexadecimalValue%