New Waledac Trojan
SonicWALL UTM Research team observed a new variant of Waledac Trojan in the wild starting today Thursday, January 23, 2009. Waledac was first seen on the Internet a day before Christmas (Dec 24, 2009) and since then there were multiple variants spammed in the wild.
Waledac arrives via email that contains a link to the Trojan. A sample of URL spammed for the newest variant of Waledac looks like following:
If the user clicks on the link, the Trojan will get downloaded with one of the following filename:
The malware when executed, performs the following tasks:
- Adds the following registry key to ensure that the Trojan gets executed every time system reboots
- HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunPromoReg: "(PATH)(FILENAME)"
Sends out email messages containing the Malicious URL to e-mail addresses harvested from local machine. It contained following IP Addresses encrypted inside the binary file:
Malware sends folling HTTP requests to the above IP addresses most of which has content-length of 957 bytes:
- POST /zzmk.htm HTTP/1.1
- POST /smphsfmsdll.htm HTTP/1.1
- POST /xbqbqkhnd.htm HTTP/1.1
- POST /zmqwyliet.png HTTP/1.1
- POST /irpswjczfew.htm HTTP/1.1
The malware has very low AV detection (2/32) at the time of writing this Security Alert. SonicWALL Gateway Antivirus will detect this new Waledac variant as GAV: Waledac.Z (Trojan) .