Home / malware Win32.Wallon.A@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Wallon.A@mm is also known as Win32/Wallon.Worm, |, I-Worm.Wallon, |, WORM_WALLON.A, |, Win32.HLLW.Wallon.A.
Explanation :
This worm exploits two vulnerabilities: the ADODB.Stream object vulnerabilty in ActiveX and an URL obfuscation vulnerability in Internet Explorer
Recommended updates:
http://www.microsoft.com/technet/security/bulletin/MS04-004.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx
This worm comes by e-mail, has no attachment, but the body contains a link that apparently points to:
http://drs.yahoo.com/???????????/NEWS/
where ??????????? may be a valid domain.
Once the user has clicked on the false link, the ADODB.Stream exploit in a CHM file will download an executable file from the Internet (a downloader and hijacker) overwriting wmplayer.exe with it and will also execute the new downloaded file.
The downloader component will hijack the Internet Explorer start page and default search with:
http://www.google.com.super-fast-search.apsua.com/fast-find.htm
http://www.google.com.super-fast-search.apsua.com/search.htm
And will also create 5 buttons in Internet Explorer (named SEARCH, ENTERTAINMENT, PILLS, SECURITY, SEARCH) using the following registry entries:
[HKEY_LOCAL_MACHINESoftwareMicrosoftInternet ExplorerExtensions{c95fe080-8f5d-11d2-a20b-00aa003c157a}]
[HKEY_LOCAL_MACHINESoftwareMicrosoftInternet ExplorerExtensions{FE5A1910-F121-11d2-BE9E-01C04A7936B1}]
[HKEY_LOCAL_MACHINESoftwareMicrosoftInternet ExplorerExtensions{FE5A1910-F121-11d2-BE9E-01C04A7936B2}]
[HKEY_LOCAL_MACHINESoftwareMicrosoftInternet ExplorerExtensions{FE5A1910-F121-11d2-BE9E-01C04A7936B3}]
[HKEY_LOCAL_MACHINESoftwareMicrosoftInternet ExplorerExtensions{FE5A1910-F121-11d2-BE9E-01C04A7936B4}]
[HKEY_LOCAL_MACHINESoftwareMicrosoftInternet ExplorerExtensions{FE5A1910-F121-11d2-BE9E-01C04A7936B5}]
pointing to:
http://www.google.com.super-fast-search.apsua.com/find.htm
http://www.google.com.super-fast-search.apsua.com/av.htm
http://www.google.com.super-fast-search.apsua.com/med.htm
http://www.google.com.super-fast-search.apsua.com/check.htm
http://www.google.com.super-fast-search.apsua.com
Next, it attempts to download from internet and execute another file, to c:/alpha.exe (150,528 bytes)
Once run, alpha.exe attempts to find e-mail addresses and sends an e-mail like the one described above.
Note: this worm appears to be part of a scam, involving a dialer and also using various distribution languages.Last update 21 November 2011