Security News

New Waledac Trojan (Jan 23, 2009)

By

SonicWALL UTM Research team observed a new variant of Waledac Trojan in the wild starting today Thursday, January 23, 2009. Waledac was first seen on the Internet a day before Christmas (Dec 24, 2009) and since then there were multiple variants spammed in the wild.

Waledac arrives via email that contains a link to the Trojan. A sample of URL spammed for the newest variant of Waledac looks like following:

  • wlt.goodnewsdigital.com?cardnum=(REMOVED)

If the user clicks on the link, the Trojan will get downloaded with one of the following filename:

  • onlyyou.exe
  • love.exe
  • you.exe
  • youandme.exe
  • meandyou.exe

The malware when executed, performs the following tasks:

  • Adds the following registry key to ensure that the Trojan gets executed every time system reboots
    • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunPromoReg: “(PATH)(FILENAME)”

  • Sends out email messages containing the Malicious URL to e-mail addresses harvested from local machine. It contained following IP Addresses encrypted inside the binary file:

    • 60.17.155.78
    • 201.2.164.168
    • 124.73.130.120
    • 71.10.230.45
    • 200.100.83.229
    • 119.96.206.189
    • 121.1.102.3
    • 124.199.31.108
    • 124.153.156.121

    Malware sends folling HTTP requests to the above IP addresses most of which has content-length of 957 bytes:

    • POST /zzmk.htm HTTP/1.1
    • POST /smphsfmsdll.htm HTTP/1.1
    • POST /xbqbqkhnd.htm HTTP/1.1
    • POST /zmqwyliet.png HTTP/1.1
    • POST /irpswjczfew.htm HTTP/1.1

    The malware has very low AV detection (2/32) at the time of writing this Security Alert. SonicWALL Gateway Antivirus will detect this new Waledac variant as GAV: Waledac.Z (Trojan) .

    Security News
    The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
CVE-2013-3893 exploit actively serving malware (September 26, 2013)
Attackers actively targeting vulnerable Netgear DGN devices
Adobe Reader and Acrobat Zero Day exploit (Dec 9, 2011)
Agent Tesla RAT Disguised As NSIS Installer
Hurricane Sandy Email Phishing Scam (Oct 31, 2012)
Corona Anti-Locker Ultimate - Data stealing malware
Microsoft Security Bulletin Coverage for July 2017
Apache QPid Denial Of Service Vulnerability (April 10, 2015)