Waledac

from Wikipedia, the free encyclopedia

Waledac , also known by the names W32 / Waledac and W32 / IRCbot-ZG , is a computer worm that appeared in late December 2008. The worm infects computers with the Microsoft Windows operating system installed.

Dissemination methods

To infect other computers, the worm sends e-mails containing copies of itself or links to infected websites.

E-mails written in English were occasionally also sent to Swiss and German e-mail recipients. In the last major spam wave, around January 18, 2009, the spam mail claimed that Barack Obama would not run as President of the United States. The spam emails each contain a link to a website that then spreads the Trojan.

Among other things, spam emails were sent at Christmas with the following subject lines:

  • "Free Christmas Ecards"
  • "Christmas card from a friend"
  • "Merry Xmas!"

Executable files with names such as "ecard.exe" or "run.exe" are used as file attachments. Links are also sent to websites that try to get the visitor to download an alleged version of the Flash Player . Instead of the player, however, the computer worm installs itself.

In order to get the user to watch the video and thus install the worm, a message about a bomb explosion in the nearest capital is simulated using geolocation .

The website's source code refers to a JavaScript file that supposedly belongs to Google Analytics. However, the JavaScript code you look at the file google-analysis.js on, you can see that the code veiled ( "obfuscated") and a drive-by exploit involves.

The websites used by Waledac to spread the Trojan attempt to infect the visitor's computer in two ways: on the one hand, as a normal file download and, on the other hand, via drive-by infection . Simply looking at the website is enough to get infected with the Trojan. The name of the .EXE file offered changes with each visit.

Effects

When an infected file is executed, the worm creates the following registry entries ; 

Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run\"PromoReg" = "[Pfad zur infizierten Datei]"
Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\"RList"
Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\"MyID"

It then searches for e-mail addresses that are stored on the computer.

Connection to Conficker

Observations showed that Conficker, among other things , contacted domains that were already infected with the Waledac worm in order to download the worm. Waledac is suspected of having a connection to the Storm botnet .

Elimination

Waledac can be removed by all common antivirus programs , the only important thing here is that system restore is switched off beforehand, otherwise the worm can be restored using this.

Individual evidence

  1. Description of the virus from Symantec (English)
  2. http://www.abuse.ch/?p=946
  3. http://www.info-point-security.com/loesungsdienstleistungen/websense/65-steller-news/3142-websense-security-labs-neue-waledac-kampagne-mit-angeblicher-reuters-news-im-umlauf .html  ( page no longer available , search in web archivesInfo: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice.@1@ 2Template: Dead Link / www.info-point-security.com  
  4. Description of the virus from McAfee (English)
  5. Waledac - Successor found for Storm ( Memento from April 19, 2009 in the Internet Archive )
  6. W32.Waledac - Removal at Symantec (English)