Home / malwarePDF  

Win32/Waledac


First posted on 16 April 2009.
Source: SecurityHome

Aliases :

Win32/Waledac is also known as Also Known As:W32/Waledac.gen (McAfee), W32.Waledac (Symantec).

Explanation :

Win32/Waledac is a trojan that is used to send spam. It also has the ability to download and execute arbitrary files, harvest email addresses from the local machine, perform denial of service attacks, proxy network traffic and sniff passwords.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following registry subkeys:
    HKLMSoftwareMicrosoftWindowsCurrentVersionRunPromoReg
    or HKCUSoftwareMicrosoftWindowsCurrentVersionRunPromoReg
    HKCUSOFTWAREMicrosoftWindowsCurrentVersionMyID
    HKCUSOFTWAREMicrosoftWindowsCurrentVersionRList


  • Win32/Waledac is a trojan that is used to send spam. It also has the ability to download and execute arbitrary files, harvest email addresses from the local machine, perform denial of service attacks, proxy network traffic and sniff passwords.

    Installation
    In the wild, links to malicious Web sites hosting the trojan have been distributed via spam e-mail messages. Messages may contain content of current events such as holidays, historical, social and political events. If a user visits the link to the site hosting Win32/Waledac, the user could accidentally or unknowingly execute the trojan. This trojan does not copy itself to specific folders but does modify the registry to execute the trojan at each Windows start. Adds value: "PromoReg"With data: "<Win32/Waledac filename>"To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun If the trojan is unable to add the value and data to the 'HKLM' registry hive, 'HKCU' is used instead, as in this example: Adds value: "PromoReg"With data: "<Win32/Waledac filename>"To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Win32/Waledac makes additional registry modifications. Adds value: "MyID"With data: <random hexadecimal string>To subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersion Adds value: "RList"With data: <random hexadecimal string>To subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersion

    Payload
    Gathers E-mail AddressesWhen run, Win32/Waledac collects email addresses found inside files stored on the infected computer. It searches fixed and remote drives for files to target, ignoring files with the following file extensions: archive files.7z
    .gz.zip
    .rar
    .jar
    .hxw
    .hxh
    .hxn
    .hxd media files.avi
    .mov
    .wmv
    .mp3
    .wave
    .wav
    .wma
    .ogg
    .vob
    .png
    .jpg
    .jpeg
    .gif
    .bmp executable files
    .exe
    .dll
    .ocx
    .class
    .msi Modifies System Security SettingsDepending on how the affected machine is networked, Waledac may add itself to the Windows Firewall Authorized Applications list and in order to bypass the firewall when accessing the Internet. It adds the following 3 exceptions to the list for the name "Promo":
  • Communications via TCP port 80
  • Communications via UDP port 53
  • Communications from the Waledac executable itself
  • Steals Sensitive DataWaledac attempts to steal sensitive data during transit. This could include user names and passwords. It targets the following protocols when attempting to capture sensitive data:
  • SMTP - port 25
  • POP - port 110
  • HTTP - port 80
  • FTP - port 21
  • Distributes and Receives Remote Commands Via Distributed P2P NetworkWaledac can distribute and receive commands from other computers infected with Waledac via its own peer-to-peer (P2P) network. Using this distributed method of unauthorized access and control of an affected machine, a remote attacker can perform the following actions:
  • Download and execute arbitrary files
  • Perform Denial of Service attacks against a specified target
  • Establish SOCKS 5 Proxy (can be used for several purposes including hiding the origin of malicious network activity).
  • Start an HTTP server - port 80
  • Start a DNS server - port 53
  • Send captured data to a remote location
  • Sends e-mail messages after receiving configuration and targeting data
  • Waledac is distributed with an initial list of peers to contact. It has been observed contacting the following IP addresses in this fashion:114.121.11.161
    114.121.94.207
    114.139.151.178
    114.240.77.108
    114.243.227.170
    114.30.78.72
    114.48.26.148
    114.48.35.20
    114.58.94.25
    115.42.67.168
    115.60.44.193
    116.24.168.139
    116.5.128.86
    116.71.173.72
    116.72.4.161
    116.72.52.141
    116.73.3.47
    116.74.113.5
    116.74.144.201
    116.74.180.211
    116.75.183.9
    117.102.44.30
    117.123.183.229
    117.195.100.160
    117.197.96.74
    117.198.1.67
    117.199.115.159
    117.20.186.215
    117.200.51.55
    117.24.158.214
    117.83.246.124
    117.92.80.209
    118.118.67.18
    118.127.217.220
    118.128.114.126
    118.129.59.133
    118.131.88.121
    118.38.17.7
    118.47.182.35
    118.95.99.129
    119.122.26.22
    119.154.20.130
    119.199.154.42
    119.205.8.140
    119.73.119.88
    119.99.22.50
    12.150.205.250
    120.136.97.101
    120.50.87.39
    121.127.80.231
    121.127.80.251
    121.134.122.81
    121.138.127.132
    121.139.167.150
    121.149.122.79
    121.166.7.96
    121.175.111.187
    121.189.139.242
    121.227.106.205
    121.246.217.107
    121.253.33.166
    121.254.47.208
    121.29.99.107
    121.61.33.138
    124.122.154.164
    124.123.96.207
    124.128.167.211
    124.135.80.106
    124.153.156.121
    124.153.206.90
    124.153.234.73
    124.199.7.179
    124.225.46.155
    124.244.14.154
    124.72.40.178
    124.80.227.126
    125.142.96.142
    125.162.68.217
    125.182.24.85
    125.209.17.183
    125.69.26.169
    125.99.155.243
    140.112.164.50
    140.129.29.53
    165.132.24.87
    165.194.59.92
    200.163.155.244
    200.241.188.251
    201.160.73.112
    201.214.15.243
    201.5.172.207
    210.0.47.10
    210.0.47.208
    210.108.199.211
    210.124.121.129
    210.181.231.216
    210.197.58.172
    210.2.39.76
    210.210.245.92
    210.4.125.182
    210.6.108.130
    210.93.101.23
    211.111.42.214
    211.162.211.45
    211.246.236.63
    211.247.51.24
    211.53.55.65
    211.55.159.63
    213.93.5.156
    217.120.224.190
    217.144.209.71
    217.162.74.225
    217.8.92.78
    220.164.197.91
    220.197.33.74
    220.226.36.237
    220.226.40.223
    221.124.70.181
    221.133.150.165
    221.137.83.234
    221.165.95.226
    24.118.126.63
    24.122.25.65
    24.13.237.40
    24.13.27.63
    24.79.177.228
    24.87.10.186
    59.126.29.61
    60.180.113.234
    60.223.169.190
    61.0.139.54
    61.102.212.18
    61.140.147.19
    61.187.142.35
    61.21.22.112
    61.221.97.205
    61.238.138.42
    61.244.107.17
    61.247.143.13
    61.247.69.217
    61.35.248.86
    61.47.206.90
    61.47.247.17
    61.5.16.245
    61.97.134.116
    64.38.80.181
    64.53.137.43
    65.28.6.131
    66.169.35.82
    66.178.64.133
    66.66.84.183
    67.191.81.183
    67.213.97.27
    68.146.148.152
    69.229.5.95
    70.121.201.5
    70.234.247.240
    71.72.145.205
    72.18.123.209
    76.122.130.170
    76.170.240.153
    76.186.203.78
    77.81.80.145
    80.191.155.88
    82.231.195.46
    83.226.56.24
    83.253.33.29
    83.86.119.114
    84.16.228.132
    85.170.190.210
    85.196.70.44
    85.9.88.222
    86.126.99.213
    86.3.128.70
    87.246.26.145
    88.134.163.181
    88.183.217.78
    88.216.29.47
    89.165.81.152
    89.204.23.72
    89.228.206.128
    89.234.220.89
    89.76.120.87
    93.123.6.132
    93.81.129.119
    99.237.49.68

    Analysis by Jireh Sanico and Scott Molenkamp

    Last update 16 April 2009

     

    TOP