Immediate Protection Info
| Signature | Product | Removal Instructions |
|---|
31.6.6348
| CA Antivirus 2007
| |
31.6.6348
| eTrust Antivirus v7/8*
| |
7.x/6348
| eTrust EZ Antivirus 7.x
| |
31.6.6348
| Vet 7
| |
Description
Win32/Waledac.AJ is a trojan that can steal information such as email addresses from affected systems and upload it to remote websites. It may also download and execute additional malware. This trojan has been observed to arrive in Valentine's Day-themed spam emails.
Back to top
Method of Infection
Win32/Waledac.AJ may arrive via a link in a spammed email featuring a Valentine's theme. Possible email subject lines are:
- <sender name> has sent you a Valentine's Day E-Card!
- A Valentine's Day E-Card from <sender name>
- Greetings from <sender name>
Spam emails may look like this, for example:
Clicking on the link leads the user to a seemingly innocent website like this one:
Currently, the trojan executables are being delivered from these websites:
adorelyric.com
adorepoem.com
adoresong.com
adoresongs.com
bestadore.com
bestlovehelp.com
bestlovelong.com
chatloveonline.com
cherishletter.com
cherishpoems.com
funloveonline.com
lovecentralonline.com
lovelifeportal.com
orldlovelife.com
romanticsloving.com
whocherish.com
worldlovelife.com
worshiplove.com
youradore.com
yourdatabank.com
yourgreatlove.com
yourteamdoc.com
with the following filenames:
Card.exe
cardviewer.exe
devkit.exe
download.exe
ecard.exe
install.exe
lovecard.exe
lovekit.exe
loveprogramm.exe
Loveu.exe
Luv.exe
Programm.exe
vcard.exe
viewer.exe
When executed, Win32/Waledac.AJ creates the following registry entry to automatically run at system start-up:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg = "<path to executable>"
It also creates the following registry entries as an infection marker:
HKCU\Software\Microsoft\Windows\CurrentVersion\RList = "<random characters>"
HKCU\Software\Microsoft\Windows\CurrentVersion\MyID = "<random characters>"
HKCU\Software\Microsoft\Windows\CurrentVersion\FWDone = "<random characters>"
HKCU\Software\Microsoft\Windows\CurrentVersion\LastCommandId = "<random characters>"
Back to top
Payload
Steals Sensitive Information
Win32/Waledac.AJ harvests email addresses and uploads them to a remote location. The trojan searches files in the following types of drives for target email addresses:
- Removable drives such as floppy drives, thumb drives, flash card readers
- Fixed drives such as hard drives, flash drives
- Remote drives such as remote network drives
The trojan ignores files with the following extensions:
.7z
.avi
.bmp
.class
.dll
.exe
.gif
.gz
.hxd
.hxh
.hxn
.hxw
.jar
.jpeg
.jpg
.mov
.mp3
.msi
.ocx
.ogg
.png
.rar
.vob
.wav
.wave
.wma
.wmv
.zip
Waledac stores this information, in an encrypted format, to a file with a random filename and extension .htm, .php or .png; establishes a connection to a web server and posts this file using a HTTP POST command:
The trojan has been observed to contact web servers on the following locations:
114.51.6.200
115.186.129.84
115.42.67.109
117.199.177.133
117.199.224.202
117.200.225.82
118.107.130.7
118.140.47.197
118.168.204.232
118.174.171.144
118.26.156.150
118.83.13.220
119.154.2.125
119.83.90.51
124.123.55.246
124.125.15.142
125.163.87.42
132.177.115.247
151.118.184.222:
151.53.136.149
151.83.19.225
166.166.4.128
168.255.42.114
189.13.18.193
193.150.249.23
193.93.192.234
196.202.6.45
196.206.123.142
200.108.198.242
200.157.120.151
200.86.3.36
200.90.108.5
201.212.41.19
201.79.176.232
201.89.173.168
201.92.181.248
212.16.130.93
212.27.30.112
213.182.243.29
213.91.231.150
217.119.150.24
220.226.50.183
24.125.51.191
24.177.237.20
24.56.112.169
24.56.119.61
24.61.201.171
4.253.71.128
64.179.148.3
66.168.245.107
66.215.74.16
66.72.68.123
66.75.245.215
67.182.183.96
67.184.235.168
69.223.176.246
70.166.88.195
71.12.12.68
71.61.209.198
72.35.183.153
76.108.154.195
76.126.213.58
76.181.74.139
76.200.188.34
76.204.247.33
76.90.193.224
77.254.135.159
77.28.83.103
77.98.113.36
80.116.105.170
80.186.88.44
80.217.0.39
80.252.63.79
80.44.164.180
80.72.74.121
80.99.68.67
81.100.82.207
81.101.29.244
81.101.92.26
81.104.141.11
81.104.184.170
81.105.25.2
81.106.243.7
81.107.5.147
81.110.226.209
81.110.245.219
81.110.59.113
81.13.234.39
81.22.134.119
81.99.145.219
82.1.69.85
82.11.215.3
82.226.160.63
82.228.97.32
82.230.197.96
82.238.33.24
82.241.128.117
82.247.98.24
82.250.79.101
82.34.228.99
82.41.205.240
82.51.13.123
82.56.129.244
82.56.61.42
82.67.61.246
83.132.106.223
83.132.2.169
83.191.139.48
84.113.246.98
84.126.130.3
84.16.228.132
84.3.203.108
84.91.252.238
85.101.9.104
85.135.2.254
85.138.42.173
85.138.66.110
85.176.16.116
85.178.40.9
85.194.248.239
85.202.213.30
85.216.123.30
85.216.63.24
85.216.72.144
85.216.8.141
85.86.155.123
85.96.71.158
86.10.48.52
86.10.84.197
86.12.113.98
86.12.43.203
86.126.110.142
86.15.190.70
86.16.103.203
86.17.121.104
86.17.164.11
86.20.121.135
86.20.27.30
86.56.233.111
86.56.87.69
86.7.153.183
86.9.151.128
87.2.27.97
87.242.37.21
87.5.119.42
87.65.166.124
87.8.242.3
88.160.142.244
88.162.47.6
88.165.78.65
88.165.82.122
88.171.35.154
88.175.180.95
88.175.225.30
88.175.5.93
88.175.62.158
88.180.193.114
88.182.145.111
88.182.210.147
88.182.246.99
88.184.208.60
88.227.198.251
88.228.81.45
89.115.160.11
89.137.22.154
89.138.214.211
89.208.209.86
89.234.220.89
89.235.200.243
89.235.214.70
89.34.220.82
89.37.77.179
89.46.220.40
92.114.236.194
92.115.132.68
92.228.215.150
92.232.226.106
92.232.4.139
93.177.180.42
93.183.181.25
97.96.9.212
98.122.35.173
99.234.255.194
Downloads and Executes Arbitrary Files
Win32/Waledac.AJ is also capable of downloading additional malware from the orldlovelife.com domain.
The downloaded file appears to be an image file and has a .JPG extension:
However, the file is embedded with a malicious executable detected as a Win32/SillyDl trojan variant.
Back to top
For additional information:
Win32/Waledac.AJ connects to the following website:
adoresong.com/index.php
Analysis by Mary Grace Gabriel
Back to top