Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


Short description
Win32/Waledac.E is a trojan that spreads via e-mail. The file is run-time compressed using UPX .
Installation
The trojan does not create any copies of itself.

In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run]
    "PromoReg" = "%filepath%"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run]
    "PromoReg" = "%filepath%"
The following Registry entries are created:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion]
    "RList" = "%hex_value1%"
    "MyID" = "%hex_value2%"
Spreading
The trojan is being spammed by e-mail. The attachment is an executable of the trojan.

The name of the attached file is following:
  • ecard.exe
Information stealing
The trojan gathers e-mail addresses from all local files.

It avoids files with the following extensions:
  • .7z
  • .avi
  • .bmp
  • .class
  • .dll
 
The trojan connects to some of the following IP addresses:
  • 117.200.162.251
  • 118.39.80.191
  • 121.183.84.135
  • 121.19.195.230
  • 124.13.230.117
 
The trojan can send the information to a remote machine. The HTTP protocol is used.
Other information
The trojan is sent data and commands from a remote computer or the Internet.

The trojan can be used for sending unwanted/spam e-mail messages.

It can execute the following operations:
  • run executable files
  • terminate running processes
  • download files from a remote computer and/or Internet