Waledac SMS Spy Trojan

April 16, 2009

Yesterday, SonicWALL UTM Research team observed new variants of Waledac. They switched to using SMS Spy software trial theme: by pretending to offer software that allows the user to read other people's SMS.

In the past, we released SonicAlerts about Waledac pretending to be a Valentine's Day E-Card, a Couponizer program, and a Fake News Story about a Dirty Bomb.

The latest SMS Spy variants do not incorporate IP address geolocation, the message is not customized to the user's city.

The website banks on the user's curiosity and offers a tool to invade privacy and read anyone's mobile phone text messages. For example, it targets jealous boyfriends, with taglines such as "Do you really trust her?", "Are you sure you want to know?" in the email spam used to spread links to the latest Waledac domains. On the website, "Download Free Trial" link leads to the malware executable.

When executed this Waledac variant is almost identical in its behavior to the previous variant.

The websites used in this attack include:

  • adoresongsxx.com
  • antiterrorisxx.com
  • bakeloafxx.com
  • bestadorexx.com
  • bestcouponfreexx.com
  • bestjournalguidexx.com
  • bestlifeblogxx.com
  • bestlovehelpxx.com
  • bestlovelongxx.com
  • bestusablogxx.com
  • bluevalentineonlinexx.com
  • breakingnewsltdxx.com
  • chatloveonlinexx.com
  • cherishletterxx.com
  • chinamobilesmsxx.com
  • codecouponsitexx.com
  • coralarmxx.com
  • downloadfreesmsxx.com
  • easyworldnewsxx.com
  • freecolorsmsxx.com
  • freeservesmsxx.com
  • fryrollxx.com
  • funloveonlinexx.com
  • funnyvalentinessitexx.com
  • goldfixonlinexx.com
  • goodnewsdigitalxx.com
  • goodnewsreviewxx.com
  • greatcouponclubxx.com
  • greatsalesgroupxx.com
  • greatsvalentinexx.com
  • lastlabelxx.com
  • lovecentralonlinexx.com
  • lovelifeportalxx.com
  • miosmsclubxx.com
  • mobilephotoblogxx.com
  • moneymedalxx.com
  • nuovosmsxx.com
  • photoblogsitexx.com
  • romanticslovingxx.com
  • screenaliasxx.com
  • smsclubnetxx.com
  • smsdirettoxx.com
  • smspianetaxx.com
  • spacemynewsxx.com
  • tagdebtxx.com
  • thecoupondiscountxx.com
  • thevalentineloversxx.com
  • tntbreakingnewsxx.com
  • urbanfearxx.com
  • usabreakingnewsxx.com
  • virtualesmsxx.com
  • wealthleafxx.com
  • wirelessvalentinedayxx.com
  • worldlovelifexx.com
  • worshiplovexx.com
  • youradorexx.com
  • yourbarrierxx.com
  • yourgreatlovexx.com
  • yourvalentinedayxx.com
  • yourvalnetinepoemsxx.com

All domains are registered in China. They resolve to different IP addresses every time they are visited. The filenames are also rotated. Some of the filenames used in this wave are:

  • trial.exe
  • sms.exe
  • smsreader.exe
  • freetrial.exe
  • free.exe
  • promo.exe

SonicWALL Gateway Antivirus detects this new Waledac variant proactively with GAV: Waledac.gen.2 (Trojan) signature. This generic signature was added on April 13, 2009, catches 253 different variants of Waledac and has 23,387 hits so far.

Here is a screenshot of the malicious website:

screenshot