Online Resources
- Report an Incident
- News and Alerts
- The Security Geek's Dictionary
- Virus Types
- VP for Information Technology
- Videos and Podcasts
- Related Links
- Site Map
Share This Page
MS-ISAC Cyber Security Informational Bulletin
MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER SECURITY INFORMATIONAL BULLETIN
DATE ISSUED: 7/7/2009
SUBJECT: Recent Reports of Infections Due to the W32.Waledac Virus
We have received reports from two states this week of large scale network infections due to a piece of malware known as the W32.Waledac virus. This virus primarily spreads via a spammed email message containing a malicious attachment or a link to a compromised website. The attachment is commonly identified as “ecard.exe” and the contents of the email message may use any of the following subject lines:
I made an Ecard for U!
You've got an e-card
I sent you the ecard
Haven’t you heard news?
You have a greeting card
A special card just for you
You Received an Ecard
You Have An E-card Waiting For You!
It is worth noting that the file type and filename may change, and the subject lines may change depending on what circumstances are surrounding the timeframe, such as holidays or significant current events. Some have even gone as far as to spoof YouTube videos that are actually links to malware executables.
Reports indicate that when this malware is executed, it will make the following Windows registry modifications causing it to run automatically each time a user logs on to the infected machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"PromoReg" = "[PATH TO THREAT]"
Additionally, it also creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\"RList" = "[HEXADECIMAL DIGITS]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\"MyID" = "[HEXADECIMAL DIGITS]"
The malware has been known to communicate over port 80/TCP with the following malicious domains:
video4thjuly[dot]com
happyindependence[dot]com
Please be aware that these are not the only domains that it will contact, and this list may grow with time or be altered dependant on the events surrounding the current timeframe.
In addition to connecting to the domains given above, the malware also connects to the following IP addresses:
61.60.183.252
64.150.150.45
67.43.100.24
70.115.176.78
72.10.29.19
76.94.66.148
77.76.162.127
77.78.94.185
81.97.116.82
82.177.173.80
82.46.28.102
82.77.50.14
83.2.91.84
83.252.194.194
84.10.218.71
84.38.86.43
84.42.186.164
84.43.144.116
85.120.149.156
85.122.94.27
85.65.88.138
85.67.104.110
85.87.65.109
86.105.189.66
87.110.76.93
87.255.88.27
87.97.228.53
88.222.97.206
88.86.216.131
89.201.87.212
89.42.6.81
89.43.219.79
89.46.174.132
93.187.139.53
98.151.36.207
99.141.124.192
112.76.132.115
116.120.130.217
118.34.184.174
119.70.124.228
121.67.207.185
189.47.140.100
193.140.26.43
194.27.60.87
200.84.30.30
201.212.3.94
201.27.207.7
208.80.54.41
211.205.126.105
213.89.24.254
217.210.182.197
221.43.154.32
Please note that one state reported that their anti-virus software, which was up-to-date, did not detect this version of the malware.
RECOMMENDATIONS:
We recommend the following actions be taken:
• Consider blocking access to the IP addresses and domains listed above.
• Ensure that all anti-virus software is up to date with the latest signatures.
• Do not download or open files from un-trusted websites.
• Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
• Do not open email attachments from unknown or un-trusted sources.
• Block un-trusted incoming traffic from the Internet at your network perimeter.
Lastly, we recommend that all users be informed of the above threat and what precautions that they need to follow.
REFERENCES:
Security Focus:
http://www.symantec.com/security_response/writeup.jsp?docid=2008-122308-1429-99&tabid=1
F-Secure:
http://www.f-secure.com/v-descs/email-worm_w32_waledac_a.shtml