Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Malicious Code Alert

Worm: W32.Waledac

 
Threat Type:IntelliShield: Malicious Code Alert
IntelliShield ID:17327
Version:10
First Published:2008 December 23 21:50 GMT
Last Published:2009 March 23 21:13 GMT
Port: 80
Urgency:Probable Use
Credibility:Confirmed
Severity:Moderate Damage
 
Version Summary:

Additional technical details are available to describe W32.Waledac.

 
Aliases/Variants

Variants are not available.

Virus Name:

W32.Waledac (Aliases include Win32/Waledac.AJ (CA), W32/Waledac.A (F-Secure), W32/Waledac (McAfee), W32/Waled-B (Sophos), W32/Waled-D (Sophos), and W32/Waledac.gen.b (McAfee).)

 

Description
 

W32.Waledac is a worm that attempts to open a back door on an infected system.  The worm propagates by sending a copy of itself to e-mail addresses found on the infected system.

The worm may arrive on the system as the ecard.exe attachment in an e-mail message.  The worm has been known to arrive as numerous other .exe files as indicated in the warning indicators section of this alert.  The worm modifies the system registry to ensure it runs each time Windows starts.  The worm searches the infected system for e-mail addresses on all system files except for those that contain the following extensions:

.avi
.mov
.wmv
.mp3
.wave
.wav
.wma
.ogg
.vob
.jpg
.jpeg
.gif
.bmp
.exe
.dll
.ocx
.class
.msi
.zip
.7z
.rar
.jar
.gz
.hxw
.hxh
.hxn
.hxd

The worm then attempts to access the websites of numerous banking entities, including institutions that are located in the following countries:

France
Germany
Australia
Andorra
Spain
Romania
United Kingdom
United States
Malta
Cyprus
Greece
Luxembourg
Switzerland
Belgian

Once a site is accessed, the worm attempts to gather confidential information, such as login credentials.  Any gathered data, including e-mail addresses, is stored in a file with an .htm, .png, or .php extension.  The worm encrypts and transmits the file to one of several IP addresses via a HTTP POST command.  The worm may also end processes, download updates and other files, and send messages to e-mail addresses gathered from the infected system. 


Impact
 

W32.Waledac may download files on an infected system and provide an attacker with unauthorized access.  The worm has a mass-mailing routine, which could cause network congestion and flood e-mail servers.  The worm also attempts to steal confidential information that is related to numerous online banking entities.


Warning Indicators
 

W32.Waledac may arrive in an e-mail attachment as the file ecard.exe.  The worm may also be distributed on malicious websites and e-mail attachments as one of the following files:

doc.exe
statement.exe
obamaspeech.exe
blog.exe
barack.exe
usa.exe
baracknews.exe
pdf.exe
news.exe
obamasblog.exe
barakblog.exe
statement.exe
president.exe
obamanews.exe
you.exe
card.exe
cardviewer.exe
devkit.exe
download.exe
install.exe
lovecard.exe
loveprogramm.exe
loveu.exe
luv.exe
programm.exe
vcard.exe
viewer.exe

The following websites are known to distribute copies of W32.Waledac:

http://www.blackchristmascard.com
http://www.superyearcard.com
http://www.greetingcardgarb.com
http://www.greatobamaguide.com
http://store.greatobamaguide.com
http://wwww.superobamadirect.com
http://www.newmediayearguide.com
http://www.bestchristmascard.com
http://www.decemberchristmas.com
http://www.bestyearcard.com
http://www.newyearcardfree.com
http://www.superchristmasday.com
http://www.cheapdecember.com
http://www.worldgreetingcard.com
http://www.topgreetingsite.com
http://www.themirabellaguide.com
http://www.newyearcardservice.com
http://www.freedecember.com
http://www.smartcardgreeting.com
http://www.holidayxmas.com
http://www.greatobamaonline.com
http://www.superobamadirect.com
http://www.itsfatherchristmas.com
http://www.superchristmaslights.com
http://www.greetingsupersite.com
http://www.directchristmasgift.com
http://www.livechristmascard.com
http://www.livechristmasgift.com
http://www.christmaslightsnow.com
http://www.freechristmassite.com
http://www.yourmirabelladirect.com
http://www.justchristmasgift.com
http://www.greatmirabellasite.com
http://www.freechristmasworld.com
http://www.youryearcard.com
http://www.bestmirabella.com
http://www.themirabellahome.com
http://www.lifegreetingcard.com
http://www.mirabellaclub.com
http://www.wordnewsdot.com
http://www.adorelyric.com
http://www.adorepoem.com
http://www.adoresong.com
http://www.adoresongs.com
http://www.bestadore.com
http://www.bestlovehelp.com
http://www.bestlovelong.com
http://www.chatloveonline.com
http://www.cherishletter.com
http://www.cherishpoems.com
http://www.funloveonline.com
http://www.lovecentralonline.com
http://www.lovelifeportal.com
http://www.orldlovelife.com
http://www.romanticsloving.com
http://www.whocherish.com
http://www.worldlovelife.com
http://www.worshiplove.com
http://www.youradore.com
http://www.yourdatabank.com
http://www.yourgreatlove.com
http://www.yourteamdoc.com

The worm may arrive as an attachment to an e-mail that uses one of the following subject lines:

  • A Christmas card from a friend
  • A special card just for you A special card just for you
  • Christmas Ecard Notification Notification Christmas Ecard
  • Christmas Ecard Special Delivery Special Delivery Christmas Ecard
  • Christmas Wishes! Christmas Wishes!
  • Christmas card for you Christmas card for you
  • Christmas greetings e-card is waiting for you
  • Christmas greetings e-card is waiting for you
  • Christmas greetings for you Christmas greetings for you
  • Christmas greetings from your friend Christmas greetings from your friend
  • Greeting for you! Greeting for you!
  • Happy Christmas! Happy Christmas!
  • Have a warm an lovely Christmas! Have a lovely warm an Christmas!
  • I made an Ecard for U! I made an Ecard for U!
  • I sent you the ecard I sent you the ecard .Joyful Christmas! Joyful Christmas!
    Merry Christmas 'N Happy New Year! Merry Christmas' N Happy New Year!
  • Merry Christmas 2009! Merry Christmas 2009!
  • Merry Christmas To You! Merry Christmas To You!
  • Merry Christmas card for you! Merry Christmas card for you!
  • Merry Christmas e-card is waiting for you Merry Christmas e-card is waiting for you
  • Merry Christmas greetings for you Merry Christmas greetings for you
  • Merry Christmas wishes just for you Merry Christmas wishes just for you
  • Merry Christmas! Merry Christmas!
  • Merry Xmas! Merry Xmas!
  • Warmest Wishes For Christmas! Warmest Wishes For Christmas!
  • Wish You A Merry Christmas! Wish You A Merry Christmas!
  • Xmas card for you Xmas card for you
  • Xmas card is waiting for you Xmas card is waiting for you
  • You Have An E-card Waiting For You! You Have An E-Card Waiting For You!
  • You Received an Ecard. You Received an Ecard.
  • You have a Christmas Greeting! You have a Christmas Greeting!
  • You have a greeting card
  • You have received a Christmas E-card You have received a Christmas e-card
  • You have received a Christmas greetings card You have received a Christmas card greetings
  • You have received an E-card You have received an E-card
  • You've got a Christmas E-card You've got a Christmas e-card
  • You've got a Christmas greetings card You've got a Christmas card greetings
  • You've got a Merry Christmas E-card You've got a Merry Christmas E-card
  • You've got a Merry Christmas greeting card You've got a Merry Christmas greeting card
  • You've got a Xmas e-card You've got a Xmas e-card
  • You've got an e-card You've got an e-card
  • I give my heart to you
  • Wanna kiss you
  • I belong to you
  • You are the ONE
  • Angelica has sent you a Valentine's Day E-card!
  • A Valentine's Day E-Card from Griffith
  • Greetings from Agatha

The messages may contain one of the following sample text sections in the body of the e-mail:

Angelica just sent you a greet e-card and wrote to you:
"Yeah I Love You"
Click on the link b
elow to view your Valentine's Day card:
%link to worm%
Webmaster, 123ChristmasCards.

Griffith chose for you a Valentine's Day greeting card and wrote for you:
"Will you be my fellow this Valentine?"
Click the above link to view the page!  If you can't click it, copy and paste it into your browser:
%link to worm%
Webmaster, Jib Jab.

Agatha has mailed happy Valentine's Day Card and wrote for you:
"I LOVE YOU HONYEE"
Click here to view your Valentine card:
%link to worm%
Regards, egreetings.com

Personal firewall applications may display a notification message when the worm attempts to connect to the Internet to communicate with an attacker.

Host intrusion detection/prevention system software may display a notification when W32.Waledac attempts to execute or make modifications to the system.


Technical Information
 

W32.Waledac adds the value PromoReg = "%path to executable%" to the following registry key to ensure it runs each time Windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The worm may add the following values to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion registry key as an infection marker:

RList = "%hexadecimal value%"
MyID = "%hexadecimal value%"
LastCommandId= "%hexadecimal value%"
FWDone = "%hexadecimal value%"


IntelliShield Analysis
 

Reports indicate that W32.Waledac is generating thousands of variants each day to improve its ability to evade detection.  These reports have not been confirmed.

Some versions of W32.Waledac terminate active instances of Wireshark on infected systems.  Wireshark is an application that allows administrators to observe and identify network traffic.  The application is commonly used to monitor suspicious behavior on systems.  This routine could make diagnostic and recovery activities more difficult for administrators. 

The IronPort Threat Operations Center reported numerous virus outbreaks for this worm in the months of December, 2008, January and February, 2009.  Details for these outbreaks are available in the following alerts:

IntelliShield Alert 17337 
IntelliShield Alert 17421
IntelliShield Alert 17586

W32.Waledac shares several similarities to the Storm worm, which is documented in IntelliShield alert 14009.  The actual coding of the worm is different; however, the worms generate and send spam, handle communications, and exchange data in a similar manner.  For instance, the worms both use the infamous a= and b= tags in POST requests that are used to transmit data between infected systems and the worm's command and control server.  This communication may utilize a custom version of the HTTP protocol.  Remote attackers can utilize a SOCKS proxy over port 80 to control systems that are infected by W32.Waledac.  The Cisco IPS team has developed signatures to block the worm based on the current research.

According to research from Cisco Security Intelligence Operations, W32.Waledac is the likely successor or variant of the Storm worm and botnet.  W32.Waledac uses HTTP to update its fast flux system, which hides the true origin of its command and control servers.  Updates are provided to the servers on a regular basis in the form of .php, .png, or .htm files.  Furthermore, infected machines that do not reside behind firewalls become DNS servers for the fast flux system, which is capable of generating massive amounts of DNS traffic.

W32.Waledac attempts to opens a back door on the infected system.  The worm gathers e-mail addresses from an infected system and send e-mail message containing a copy of itself as an attachment to all gathered e-mail addresses.  Additionally, the worm attempts to establish a connection with any one address from a long list of IP addresses to send stolen information and download updates.  Typical malicious code tends to be limited to connecting to a limited number of IP addresses.

The worm is propagating via e-mail messages that use holiday-themed subject lines and ecard.exe as the attachment.  Malicious code authors often use these tactics during holiday seasons and other events to entice trusting users into executing malicious attachments.  The worm is also propagating using Barack Obama-related e-mail messages, which are documented in IntelliShield Threat Outbreak Alert 17421.  The worm is also being distributed in Valentine's Day-themed e-mails with subject lines such as I give my heart to you and You are the ONE.  The body of the message contains malicious URLs that direct the user to a website that is hosting a copy of the worm.

One of the more inventive propagation methods used by Waledac involves convincing a user to download a Valentine's Day- themed development kit called the Valentine Devkit.  The spam messages arrive with an image of two puppies holding a heart.  The message reminds recipients that Valentine's Day is approaching and suggests they use the Valentine Devkit to create a custom card.  The hyperlink to the kit actually directs users to W32.Waledac.  This method is vastly different than usual e-card approaches, which are overused by malware authors and fairly well-known to users.

Rule-based and application-based firewalls are likely to prevent or limit the impact of this worm.  Rule-based firewalls are typically set up by an administrator for an entire network.  These firewalls are often set up to block all traffic entering and exiting a network except traffic traveling through ports needed for production.  Application-based firewalls are often found on client systems and can be configured to allow certain services and processes to access the Internet or local network.  These firewalls can be configured to prompt a user each time a new process or service is attempting to access the Internet or local network.  Both types of firewalls may prevent malicious code from downloading updates or additional files.  The firewalls may also prevent the malicious code from contacting an attacker or website and from accessing local network resources.

Most host intrusion detection/prevention system software can be configured to warn users when suspicious activity occurs on their systems.  This software can be configured to prevent this type of worm from attempting to execute their infection routines.  Host intrusion detection/prevention system software may also be configured to prompt a user when suspicious activity occurs.  Often users can choose whether to allow or deny the activity in question.  These factors will limit the infection rate and impact on most systems.

Security best practices dictate that administrators should restrict file formats commonly associated with malicious code from entering the corporate network.  User education focused on avoiding malicious code attacks and responding in the case of infection is of equal importance.


Safeguards
 

Develop and maintain corporate policies and procedures to mitigate the risk of malicious code.

Block all file attachments except those specifically required for business purposes.

Use current and well-configured antivirus products at multiple levels in the environment.  Configure antivirus products to scan all files and provide full-time or auto-protect functions.  Configure antivirus products to scan three levels deep on compressed files.

Configure auto-update features to update daily or manually update antivirus signatures.  Establish procedures for immediate antivirus updating in response to high-risk malicious code outbreaks.

Conservatively configure mail perimeter servers, routers, firewalls, and personal computers.  Disable all unnecessary products, features, and sharing.  Install all security-relevant patches and upgrades as available.

Configure network access controls to establish a default deny posture by limiting incoming and outgoing traffic and limiting network services to those required for business operations only.

Establish supplemental protection for remote and mobile users.  Include daily updated antivirus, personal firewalls, and network address translation on corporate routers or firewalls.

Provide initial and continuing education to all levels of users throughout the organization.

Network monitoring tools may assist administrators in detecting heavy DNS traffic that may indicate compromised systems.


Patches/Software
 

The CA Virus Threat for Win32/Waledac.AJ, as well as the signature and engine information, is available at the following link: CA

The F-Secure Virus Description for W32/Waledac.A is available at the following link: Virus Description.  The latest definition updates are available at the following link: F-Secure 

The McAfee Virus Description for W32/Waledac is available at the following link: Virus Description.  DAT files 5475 and later are available at the following link: McAfee

The McAfee Virus Description for W32/Waledac.gen.b is available at the following link: Virus Description.  DAT files 5495 and later are available at the following link: McAfee

The Sophos Virus Analysis for W32/Waled-B is available at the following link: Virus Analysis.  The latest identity files are available at the following link: Sophos

The Sophos Virus Analysis for W32/Waled-D is available at the following link: Virus Analysis.  The latest identity files are available at the following link: Sophos 

Sophos has also released identity files that detect the following: W32/Waled-B, W32/Waled-C, W32/Waled-E, W32/Waled-F, W32/Waled-G, W32/Waled-H, W32/Waled-I, W32/Waled-J, W32/Waled-K, W32/Waled-L, W32/Waled-M, W32/Waled-N, W32/Waled-O, W32/Waled-P, W32/Waled-Q, W32/Waled-R, W32/Waled-S, W32/Waled-T, W32/Waled-V, W32/Waled-W, W32/Waled-X, W32/Waled-AN, W32/Waled-AF, W32/Waled-AG, W32/Waled-AH, W32/Waled-AI, W32/Waled-AD, W32/Waled-AE, and Troj/Waled-AB

The Symantec Security Response for W32.Waledac is available at the following link: Security Response.  The latest protection included in virus definitions for Intelligent Updater and for LiveUpdate is available at the following link: Symantec 


Signatures
 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
15193/0Waledac Trojan ActivityS6092011 Nov 17 
15193/1Waledac Trojan ActivityS3792009 Jan 31 
15193/2Waledac Trojan ActivityS5892011 Aug 17 
Cisco Small Business IPS
Signature IDSignature NameReleaseLatest Release Date
SBIPS2009-000917/Waledac Trojan ActivitySBIPS0000012010 Jan 15 
 
Alert History
 

Version 9, February 13, 2009, 1:27 PM: W32.Waledac is currently propagating as Valentine's Day themed e-mail messages.  The messages may contain a link to a supposed e-card or an attachment.  CA and Sophos have released virus definitions to detect aliases of W32.Waledac.

Version 8, February 9, 2009, 8:40 AM: McAfee has released virus definitions to detect W32/Waledac.gen.b, an alias of W32.Waledac.  Additional information is also available.

Version 7, February 2, 2009, 11:06 AM: Sophos has released virus definitions to detect aliases of W32.Waledac.  Additional information has also been provided.

Version 6, January 30, 2009, 5:15 PM: Cisco Security Intelligence Operations has released addition technical details from further analysis of traffic that is related to the W32.Waledac worm.

Version 5, January 30, 2009, 4:10 PM: Cisco Security Intelligence Operations has analyzed traffic that is related to the W32.Waledac worm.  The Cisco IPS team is currently developing a signature to block the worm based on the teams' research, which indicates that the worm may be the successor or variant of the Storm worm.  The worm is currently propagating in e-mail messages that reference Barack Obama or the Valentine's Day holiday.

Version 4, December 31, 2008, 1:22 PM: Sophos has released virus definitions that detect W32/Waled-B and W32/Waled-D, aliases of W32.Waledac.

Version 3, December 26, 2008, 12:52 PM: McAfee has released virus definitions that detect W32/Waledac, an alias of W32.Waledac.

Version 2, December 24, 2008, 8:40 AM: F-Secure has released virus definitions to detect W32/Waledac.A, an alias of W32.Waledac.  Additional information has also been released.

Version 1, December 23, 4:50 PM: W32.Waledac is a worm that attempts to open a back door on the infected system .  Virus definitions are available.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldMalicious Code Alert Original Release Base

Associated Products:
Microsoft, Inc.Windows 2000 Advanced Server Base, SP1, SP2, SP3, SP4 | Professional Base, SP1, SP2, SP3, SP4 | Server Base, SP1, SP2, SP3, SP4
Microsoft, Inc.Windows Server 2003 Datacenter Edition Base, SP1, SP2 | Datacenter Edition, 64-bit (Itanium) Base, SP1, SP2 | Datacenter Edition x64 (AMD/EM64T) Base, SP2 | Enterprise Edition Base, SP1, SP2 | Enterprise Edition, 64-bit (Itanium) Base, SP1, SP2 | Enterprise Edition x64 (AMD/EM64T) Base, SP2 | Standard Edition Base, SP1, SP2 | Standard Edition, 64-bit (Itanium) Base, SP1, SP2 | Standard Edition x64 (AMD/EM64T) Base, SP2 | Web Edition Base, SP1, SP2
Microsoft, Inc.Windows Vista Home Basic Base, SP1 | Home Premium Base, SP1 | Business Base, SP1 | Enterprise Base, SP1 | Ultimate Base, SP1 | Home Basic x64 Edition Base, SP1 | Home Premium x64 Edition Base, SP1 | Business x64 Edition Base, SP1 | Enterprise x64 Edition Base, SP1 | Ultimate x64 Edition Base, SP1
Microsoft, Inc.Windows XP Home Edition Base, SP1, SP2, SP3 | Professional Edition Base, SP1, SP2, SP3 | Professional Edition, 64-bit (Itanium) Base, 2003 (itanium 2), SP1, SP2 | Professional x64 (AMD/EM64T) Base, SP2




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield