Win32/Waledac [Threat Name] go to Threat

Win32/Waledac.JT [Threat Variant Name]

Category trojan
Size 437248 B
Detection created Jun 23, 2009
Detection database version 4181
Aliases Email-Worm.Win32.Iksmas.cio (Kaspersky)
  Trojan:Win32/Waledac.gen!A (Microsoft)
  Trojan.Waledac.CW (BitDefender)
Short description

Win32/Waledac.JT is a trojan that is used for spam distribution.

Installation

The trojan does not create any copies of itself.


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "PromoReg" = "%filepath%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "PromoReg" = "%filepath%"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion]
    • "RList" = "%hex_value1%"
    • "MyID" = "%hex_value2%"
    • "FWDone" = "%variable%"

A string with variable content is used instead of %variable% .

Spreading

The trojan generally spreads through links in spam emails which point to websites containing malware.


Some examples follow. Example [1.] :

Example [2.] :

Example [3.] :

Information stealing

The trojan gathers e-mail addresses from all local files.


It avoids files with the following extensions:

  • .7z
  • .avi
  • .bmp
  • .class
  • .dll
  • .exe
  • .gif
  • .gz
  • .hxd
  • .hxh
  • .hxn
  • .hxw
  • .jar
  • .jpeg
  • .jpg
  • .mov
  • .mp3
  • .msi
  • .ocx
  • .ogg
  • .rar
  • .vob
  • .wav
  • .wave
  • .wma
  • .wmv

The trojan connects to some of the following IP addresses:

  • 10.10.0.182
  • 112.76.132.115
  • 113.252.87.198
  • 113.254.126.104
  • 113.255.57.219
  • 113.30.81.6
  • 113.61.184.89
  • 114.30.134.94
  • 116.123.155.18
  • 118.232.186.218
  • 119.15.196.125
  • 119.204.116.61
  • 119.246.58.44
  • 119.77.241.27
  • 119.92.29.123
  • 121.133.227.50
  • 125.131.157.217
  • 140.113.246.125
  • 140.123.236.163
  • 144.122.21.189
  • 156.17.34.93
  • 163.180.140.240
  • 163.180.140.241
  • 166.82.149.171
  • 168.131.48.243
  • 189.103.50.40
  • 193.140.26.43
  • 193.140.26.67
  • 193.140.26.82
  • 193.140.26.91
  • 193.224.251.56
  • 193.43.255.106
  • 193.93.94.9
  • 194.27.64.177
  • 194.27.68.50
  • 200.112.170.6
  • 200.204.40.76
  • 201.11.154.85
  • 201.15.10.11
  • 201.39.115.114
  • 211.106.233.241
  • 211.245.208.162
  • 211.41.225.65
  • 211.63.82.133
  • 211.75.202.235
  • 212.183.212.54
  • 212.51.223.229
  • 212.75.6.56
  • 212.77.156.35
  • 212.77.156.75
  • 212.80.53.28
  • 213.21.36.184
  • 213.213.201.115
  • 213.231.97.17
  • 213.89.17.69
  • 217.113.123.83
  • 217.129.35.29
  • 217.195.58.206
  • 221.160.67.146
  • 221.163.75.167
  • 24.100.8.91
  • 60.198.132.191
  • 60.2.41.179
  • 61.35.100.83
  • 61.64.25.120
  • 61.73.148.72
  • 64.150.205.40
  • 64.95.58.136
  • 64.95.58.150
  • 64.95.58.153
  • 66.56.242.36
  • 68.59.7.2
  • 68.80.77.247
  • 69.254.29.23
  • 70.126.174.197
  • 70.224.33.117
  • 71.249.195.122
  • 76.90.207.141
  • 77.232.11.21
  • 77.250.161.205
  • 77.36.3.134
  • 77.78.191.36
  • 80.82.86.35
  • 80.98.172.191
  • 80.98.83.46
  • 81.105.150.20
  • 81.203.74.134
  • 81.24.211.147
  • 81.95.195.52
  • 82.105.101.57
  • 82.12.2.217
  • 82.19.192.201
  • 82.210.141.4
  • 82.212.133.142
  • 82.227.205.129
  • 82.230.189.102
  • 82.233.24.88
  • 82.235.211.70
  • 82.239.234.157
  • 82.240.224.224
  • 82.242.182.210
  • 82.243.120.177
  • 82.245.76.81
  • 82.250.72.232
  • 82.46.28.102
  • 82.5.214.221
  • 83.172.42.213
  • 83.83.206.6
  • 83.97.136.155
  • 84.10.166.159
  • 84.108.102.98
  • 84.113.147.148
  • 84.124.106.35
  • 84.16.228.132
  • 84.240.47.65
  • 84.38.104.198
  • 84.38.104.199
  • 85.120.149.156
  • 85.122.13.67
  • 85.122.94.27
  • 85.130.3.199
  • 85.186.92.93
  • 85.201.131.10
  • 85.204.132.61
  • 85.233.91.17
  • 85.239.139.118
  • 85.255.76.170
  • 85.85.223.125
  • 85.86.254.203
  • 86.100.89.37
  • 86.126.167.180
  • 86.126.171.46
  • 86.126.185.47
  • 86.18.90.94
  • 86.52.251.174
  • 86.61.130.226
  • 87.116.187.92
  • 87.120.194.221
  • 87.120.70.169
  • 87.247.107.58
  • 87.250.57.142
  • 87.97.196.47
  • 87.97.228.53
  • 88.158.3.77
  • 88.165.213.249
  • 88.167.163.137
  • 88.171.195.151
  • 88.172.226.183
  • 88.174.217.135
  • 88.184.74.15
  • 88.216.45.240
  • 88.216.47.73
  • 88.222.67.92
  • 89.102.235.10
  • 89.102.73.171
  • 89.148.123.115
  • 89.151.18.207
  • 89.190.236.235
  • 89.205.13.159
  • 89.25.88.139
  • 89.252.1.19
  • 89.252.57.111
  • 89.28.15.227
  • 89.28.44.98
  • 89.28.96.116
  • 89.29.138.169
  • 89.33.186.23
  • 89.36.40.60
  • 89.40.110.163
  • 89.74.23.162
  • 89.74.55.117
  • 89.78.171.183
  • 92.115.178.224
  • 92.115.243.108
  • 92.243.107.227
  • 92.249.181.124
  • 92.250.107.25
  • 92.54.102.245
  • 93.100.36.37
  • 93.100.7.126
  • 93.113.207.73
  • 93.113.225.92
  • 93.123.40.26
  • 93.152.156.92
  • 93.184.82.161

The trojan can send the information to a remote machine.


The HTTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan can be used for sending spam.


The trojan may create the following files:

  • %random%.htm
  • %random%.png

A string with variable content is used instead of %random% .


The trojan can download and execute a file from the Internet.


By adding an exception in Windows Firewall settings, the trojan ensures that it is not blocked.

Please enable Javascript to ensure correct displaying of this content and refresh this page.