New Waledac Trojan

January 23, 2009

SonicWALL UTM Research team observed a new variant of Waledac Trojan in the wild starting today Thursday, January 23, 2009. Waledac was first seen on the Internet a day before Christmas (Dec 24, 2009) and since then there were multiple variants spammed in the wild.

Waledac arrives via email that contains a link to the Trojan. A sample of URL spammed for the newest variant of Waledac looks like following:

  • wlt.goodnewsdigital.com?cardnum=(REMOVED)

If the user clicks on the link, the Trojan will get downloaded with one of the following filename:

  • onlyyou.exe
  • love.exe
  • you.exe
  • youandme.exe
  • meandyou.exe

The malware when executed, performs the following tasks:

  • Adds the following registry key to ensure that the Trojan gets executed every time system reboots
    • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunPromoReg: "(PATH)(FILENAME)"

  • Sends out email messages containing the Malicious URL to e-mail addresses harvested from local machine. It contained following IP Addresses encrypted inside the binary file:

    • 60.17.155.78
    • 201.2.164.168
    • 124.73.130.120
    • 71.10.230.45
    • 200.100.83.229
    • 119.96.206.189
    • 121.1.102.3
    • 124.199.31.108
    • 124.153.156.121

    Malware sends folling HTTP requests to the above IP addresses most of which has content-length of 957 bytes:

    • POST /zzmk.htm HTTP/1.1
    • POST /smphsfmsdll.htm HTTP/1.1
    • POST /xbqbqkhnd.htm HTTP/1.1
    • POST /zmqwyliet.png HTTP/1.1
    • POST /irpswjczfew.htm HTTP/1.1

    The malware has very low AV detection (2/32) at the time of writing this Security Alert. SonicWALL Gateway Antivirus will detect this new Waledac variant as GAV: Waledac.Z (Trojan) .