Win32/Waledac [Threat Name] go to Threat

Win32/Waledac.E [Threat Variant Name]

Category trojan
Size 387072 B
Detection created Dec 25, 2008
Detection database version 3717
Aliases Trojan.Win32.Agent.azxj (Kaspersky)
  W32.Waledac (Symantec)
  W32/Waledac.gen (McAfee)
Short description

Win32/Waledac.E is a trojan that spreads via e-mail. The file is run-time compressed using UPX .

Installation

The trojan does not create any copies of itself.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "PromoReg" = "%filepath%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "PromoReg" = "%filepath%"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion]
    • "RList" = "%hex_value1%"
    • "MyID" = "%hex_value2%"
Spreading

The trojan is being spammed by e-mail.


The attachment is an executable of the trojan.


The name of the attached file is following:

  • ecard.exe
Information stealing

The trojan gathers e-mail addresses from all local files.


It avoids files with the following extensions:

  • .7z
  • .avi
  • .bmp
  • .class
  • .dll
  • .exe
  • .gif
  • .gz
  • .hxd
  • .hxh
  • .hxn
  • .hxw
  • .jar
  • .jpeg
  • .jpg
  • .mov
  • .mp3
  • .msi
  • .ocx
  • .ogg
  • .rar
  • .vob
  • .wav
  • .wave
  • .wma
  • .wmv
  • .zip

The trojan connects to some of the following IP addresses:

  • 117.200.162.251
  • 118.39.80.191
  • 121.183.84.135
  • 121.19.195.230
  • 124.13.230.117
  • 124.49.43.93
  • 142.177.231.22
  • 189.42.164.145
  • 204.209.150.147
  • 208.106.52.137
  • 208.83.201.227
  • 210.7.71.146
  • 212.159.21.167
  • 213.131.76.73
  • 216.209.122.130
  • 216.36.130.109
  • 24.158.195.125
  • 24.207.88.196
  • 24.239.179.85
  • 24.62.30.175
  • 41.236.0.142
  • 60.209.137.67
  • 66.191.9.44
  • 67.213.109.105
  • 68.184.214.241
  • 69.11.98.242
  • 69.14.79.5
  • 69.233.246.152
  • 69.5.130.53
  • 70.118.141.187
  • 70.61.49.142
  • 71.17.130.125
  • 71.202.164.93
  • 76.18.186.44
  • 80.243.31.109
  • 81.192.250.40
  • 81.203.36.136
  • 81.5.14.98
  • 81.77.21.49
  • 82.197.247.31
  • 82.27.82.228
  • 83.11.204.247
  • 83.203.219.121
  • 83.4.16.184
  • 84.16.228.132
  • 84.68.167.227
  • 85.122.96.11
  • 85.198.234.228
  • 85.236.1.130
  • 85.250.130.233
  • 85.26.91.207
  • 87.16.224.156
  • 87.252.174.27
  • 88.108.119.42
  • 88.156.181.91
  • 88.180.76.46
  • 89.102.101.155
  • 89.135.67.99
  • 89.138.157.12
  • 89.204.192.103
  • 89.25.53.240
  • 89.77.140.176
  • 93.102.77.126
  • 98.199.54.109
  • 99.239.89.229
  • 99.247.171.50
  • 99.254.233.92
  • 99.255.160.52

The trojan can send the information to a remote machine.


The HTTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan can be used for sending spam.


It can execute the following operations:

  • run executable files
  • terminate running processes
  • download files from a remote computer and/or the Internet

Please enable Javascript to ensure correct displaying of this content and refresh this page.