Win32/Waledac.JT | ESET Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

O
P
Q
R
S
T
U
V
W
X
Y
Z
Glossary

Short description

Win32/Waledac.JT is a trojan that is used for spam distribution.

Installation

The trojan does not create any copies of itself.

In order to be executed on every system start, the trojan sets the following Registry entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"PromoReg" = "%filepath%"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run]
"PromoReg" = "%filepath%"

The following Registry entries are created:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion]
"RList" = "%hex_value1%"
"MyID" = "%hex_value2%"
"FWDone" = "%variable%"

A string with variable content is used instead of %variable% .

Spreading

The trojan generally spreads through links in spam emails which point to websites containing malware.

Some examples follow.

Example [1.] :

Example [2.] :

Example [3.] :

Information stealing

The trojan gathers e-mail addresses from all local files.

It avoids files with the following extensions:

.7z
.avi
.bmp
.class
.dll

more...

The trojan connects to some of the following IP addresses:

10.10.0.182
112.76.132.115
113.252.87.198
113.254.126.104
113.255.57.219

more...

10.10.0.182
112.76.132.115
113.252.87.198
113.254.126.104
113.255.57.219
113.30.81.6
113.61.184.89
114.30.134.94
116.123.155.18
118.232.186.218
119.15.196.125
119.204.116.61
119.246.58.44
119.77.241.27
119.92.29.123
121.133.227.50
125.131.157.217
140.113.246.125
140.123.236.163
144.122.21.189
156.17.34.93
163.180.140.240
163.180.140.241
166.82.149.171
168.131.48.243
189.103.50.40
193.140.26.43
193.140.26.67
193.140.26.82
193.140.26.91
193.224.251.56
193.43.255.106
193.93.94.9
194.27.64.177
194.27.68.50
200.112.170.6
200.204.40.76
201.11.154.85
201.15.10.11
201.39.115.114
211.106.233.241
211.245.208.162
211.41.225.65
211.63.82.133
211.75.202.235
212.183.212.54
212.51.223.229
212.75.6.56
212.77.156.35
212.77.156.75
212.80.53.28
213.21.36.184
213.213.201.115
213.231.97.17
213.89.17.69
217.113.123.83
217.129.35.29
217.195.58.206
221.160.67.146
221.163.75.167
24.100.8.91
60.198.132.191
60.2.41.179
61.35.100.83
61.64.25.120
61.73.148.72
64.150.205.40
64.95.58.136
64.95.58.150
64.95.58.153
66.56.242.36
68.59.7.2
68.80.77.247
69.254.29.23
70.126.174.197
70.224.33.117
71.249.195.122
76.90.207.141
77.232.11.21
77.250.161.205
77.36.3.134
77.78.191.36
80.82.86.35
80.98.172.191
80.98.83.46
81.105.150.20
81.203.74.134
81.24.211.147
81.95.195.52
82.105.101.57
82.12.2.217
82.19.192.201
82.210.141.4
82.212.133.142
82.227.205.129
82.230.189.102
82.233.24.88
82.235.211.70
82.239.234.157
82.240.224.224
82.242.182.210
82.243.120.177
82.245.76.81
82.250.72.232
82.46.28.102
82.5.214.221
83.172.42.213
83.83.206.6
83.97.136.155
84.10.166.159
84.108.102.98
84.113.147.148
84.124.106.35
84.16.228.132
84.240.47.65
84.38.104.198
84.38.104.199
85.120.149.156
85.122.13.67
85.122.94.27
85.130.3.199
85.186.92.93
85.201.131.10
85.204.132.61
85.233.91.17
85.239.139.118
85.255.76.170
85.85.223.125
85.86.254.203
86.100.89.37
86.126.167.180
86.126.171.46
86.126.185.47
86.18.90.94
86.52.251.174
86.61.130.226
87.116.187.92
87.120.194.221
87.120.70.169
87.247.107.58
87.250.57.142
87.97.196.47
87.97.228.53
88.158.3.77
88.165.213.249
88.167.163.137
88.171.195.151
88.172.226.183
88.174.217.135
88.184.74.15
88.216.45.240
88.216.47.73
88.222.67.92
89.102.235.10
89.102.73.171
89.148.123.115
89.151.18.207
89.190.236.235
89.205.13.159
89.25.88.139
89.252.1.19
89.252.57.111
89.28.15.227
89.28.44.98
89.28.96.116
89.29.138.169
89.33.186.23
89.36.40.60
89.40.110.163
89.74.23.162
89.74.55.117
89.78.171.183
92.115.178.224
92.115.243.108
92.243.107.227
92.249.181.124
92.250.107.25
92.54.102.245
93.100.36.37
93.100.7.126
93.113.207.73
93.113.225.92
93.123.40.26
93.152.156.92
93.184.82.161

less...

The trojan can send the information to a remote machine. The HTTP protocol is used.

Other information

The trojan is sent data and commands from a remote computer or the Internet.

The trojan can be used for sending spam.

The trojan may create the following files:

%random%.htm
%random%.png

A string with variable content is used instead of %random% .

The trojan can download and execute a file from the Internet.

By adding an exception in Windows Firewall settings, the trojan ensures that it is not blocked.