Threat Descriptions

Trojan:W32/Waledac.A

Classification

Category :

Malware

Type :

Trojan

Platform :

W32

Aliases :

Email-Worm:W32/Waledac.A, Trojan:Win32/Waledac.A (Microsoft)

Summary

Trojan:W32/Waledac is a spammed trojan that is capable of harvesting and forwarding password information.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Trojan:W32/Waledac is capable of receiving commands from a remote server. Commands include instructions on functions to perform (for example, update malware components or send information from the infected computer).

Installation

Waledac spreads in an email attachment. The name of the email attachment is always "ecard.exe". The contents of the email message varies and may use any of the following subject lines:

  • A Christmas card from a friend
  • A special card just for you A special card just for you, Christmas Ecard Notification Notification Christmas Ecard, Christmas Ecard Special Delivery Special Delivery Christmas Ecard, Christmas Wishes! Christmas Wishes!
  • Christmas card for you Christmas card for you, Christmas greetings e-card is waiting for you Christmas greetings e-card is waiting for you, Christmas greetings for you Christmas greetings for you, Christmas greetings from your friend Christmas greetings from your friend, Greeting for you! Greeting for you!
  • Happy Christmas! Happy Christmas!
  • Have a warm an lovely Christmas! Have a lovely warm an Christmas!
  • I made an Ecard for U! I made an Ecard for U!
  • I sent you the ecard I sent you the ecard .Joyful Christmas! Joyful Christmas!
  • Merry Christmas 'N Happy New Year! Merry Christmas' N Happy New Year!
  • Merry Christmas 2009! Merry Christmas 2009!
  • Merry Christmas To You! Merry Christmas To You!
  • Merry Christmas card for you! Merry Christmas card for you!
  • Merry Christmas e-card is waiting for you Merry Christmas e-card is waiting for you, Merry Christmas greetings for you Merry Christmas greetings for you, Merry Christmas wishes just for you Merry Christmas wishes just for you, Merry Christmas! Merry Christmas!
  • Merry Xmas! Merry Xmas!
  • Warmest Wishes For Christmas! Warmest Wishes For Christmas!
  • Wish You A Merry Christmas! Wish You A Merry Christmas!
  • Xmas card for you Xmas card for you
  • Xmas card is waiting for you Xmas card is waiting for you, You Have An E-card Waiting For You! You Have An E-Card Waiting For You!
  • You Received an Ecard. You Received an Ecard.
  • You have a Christmas Greeting! You have a Christmas Greeting!
  • You have a greeting card, You have a greeting card, You have received a Christmas E-card You have received a Christmas e-card, You have received a Christmas greetings card You have received a Christmas card greetings, You have received an E-card You have received an E-card, You've got a Christmas E-card You've got a Christmas e-card, You've got a Christmas greetings card You've got a Christmas card greetings, You've got a Merry Christmas E-card You've got a Merry Christmas E-card, You've got a Merry Christmas greeting card You've got a Merry Christmas greeting card, You've got a Xmas e-card You've got a Xmas e-card, You've got an e-card You've got an e-card

If the user executes the worm by double-clicking on the attachment, the worm is installed on the system, saving a copy of itself to the Windows system registry. The worm then amends the registry so that the copy saved on the directory is run during every system startup.

Propagation

Once installed on the system, the worm searches through all files on local and removable drives for email addresses. The worm is able to search through all files EXCEPT:

  • .avi
  • .mov
  • .wmv
  • .mp3
  • .wave
  • .wav
  • .wma
  • .ogg
  • .vob
  • .jpg
  • .jpeg
  • .gif
  • .bmp
  • .exe
  • .dll
  • .ocx
  • .class
  • .msi
  • .zip
  • .7z
  • .rar
  • .jar
  • .gz
  • .hxw
  • .hxh
  • .hxn
  • .hxd

The worm then spams copies of itself to the harvested email addresses.

Data Stealing

Once information has been gathered, it is encrypted and forwarded (using the extension HTM, PNG or PHP) to a remote server.The information is randomly sent to any one of the following IP addresses:

  • 116.122.25.144
  • 116.16.203.123
  • 116.254.87.118
  • 116.73.41.45
  • 116.74.181.12
  • 118.101.212.97
  • 118.39.80.191
  • 119.1.16.8
  • 119.154.9.151
  • 119.99.195.58
  • 121.243.167.55
  • 124.115.101.170
  • 124.13.227.4
  • 124.21.244.186
  • 124.79.29.116
  • 125.163.244.92
  • 125.36.151.115
  • 125.41.87.82
  • 125.45.67.194
  • 148.245.125.199
  • 151.33.215.0
  • 165.194.27.11
  • 189.41.17.132
  • 189.41.30.130
  • 189.42.164.145
  • 194.120.84.9
  • 199.203.64.235
  • 200.120.152.186
  • 200.125.92.244
  • 200.165.243.185
  • 200.55.160.124
  • 200.82.185.119
  • 201.212.68.161
  • 201.216.3.229
  • 201.231.145.111
  • 201.27.196.253
  • 201.79.228.217
  • 209.83.88.3
  • 209.87.251.55
  • 210.119.19.61
  • 212.69.49.12
  • 213.66.99.225
  • 217.129.86.162
  • 217.26.165.146
  • 220.224.231.73
  • 221.223.130.74
  • 24.116.119.157
  • 24.209.2.161
  • 24.222.92.246
  • 24.24.186.141
  • 24.82.3.140
  • 60.218.245.51
  • 60.31.94.54
  • 61.102.212.18
  • 61.238.16.83
  • 64.184.89.202
  • 68.41.238.247
  • 68.91.129.102
  • 69.37.168.16
  • 70.61.170.203
  • 71.121.79.208
  • 72.177.194.167
  • 72.24.203.145
  • 72.241.49.144
  • 72.38.168.67
  • 76.124.149.22
  • 76.25.195.117
  • 76.89.100.221
  • 76.9.39.158
  • 77.109.39.105
  • 77.252.98.96
  • 77.29.194.238
  • 77.65.140.248
  • 77.81.248.158
  • 80.117.119.193
  • 80.183.57.117
  • 80.232.245.52
  • 80.66.240.179
  • 81.111.41.240
  • 81.172.96.184
  • 81.18.72.138
  • 81.184.102.33
  • 81.31.167.5
  • 81.31.183.214
  • 81.84.31.144
  • 82.154.44.107
  • 82.233.183.147
  • 82.56.63.197
  • 82.61.43.115
  • 82.78.142.146
  • 83.131.228.111
  • 83.132.209.172
  • 83.191.233.15
  • 83.31.140.66
  • 84.109.6.14
  • 84.122.132.201
  • 84.125.99.94
  • 84.16.228.132
  • 84.228.137.182
  • 84.237.134.103
  • 84.26.190.246
  • 84.3.93.129
  • 85.130.29.52
  • 85.130.30.117
  • 85.133.206.120
  • 85.152.62.104
  • 85.185.119.42
  • 85.196.183.244
  • 85.201.43.175
  • 85.232.254.214
  • 85.255.109.83
  • 85.64.79.166
  • 86.100.217.214
  • 86.107.149.138
  • 86.126.20.9
  • 86.126.37.96
  • 86.4.67.129
  • 86.66.131.160
  • 87.110.51.157
  • 87.16.10.84
  • 87.5.40.197
  • 87.67.94.212
  • 87.69.73.78
  • 87.69.83.37
  • 87.97.40.218
  • 88.148.101.139
  • 88.160.7.118
  • 88.222.201.105
  • 89.1.27.149
  • 89.138.89.17
  • 89.141.52.164
  • 89.160.77.132
  • 89.165.120.134
  • 89.165.68.177
  • 89.165.78.95
  • 89.39.168.174
  • 89.45.136.200
  • 89.74.204.108
  • 89.75.11.4
  • 89.77.53.132
  • 92.112.248.195
  • 92.249.152.117
  • 93.126.72.83
  • 93.172.160.70
  • 93.177.144.51
  • 98.197.170.70
  • 98.221.243.14
  • 99.144.153.58
  • 99.236.47.238
  • 99.244.169.127

These IP addresses are hard-coded to Waledac.A.

Registry Modifications

Sets these values:

  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\] PromoReg = %ExecutablePath%

Creates these keys:

  • [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion] RList = %HexadecimalValue%
  • [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion] MyID = %HexadecimalValue%