« A Question About Your iOffer Item
Conficker »

Waledac

No Comments
GoldSparrow By GoldSparrow in Worms | 138 views
Rate it:
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...

W32.Waledac Description

W32.Waledac or Trojan.Waledac, is a computer Trojan infection that is designed to secretly download and install other malware onto an infected system. Waledac has been reported to install parasites such as Trojans, Keylogger infections, Adware and others. Waledac functions as a backdoor allowing remote access to the infected system.

Waledac was commonly attached to fake holiday e-cards spreading other infections onto the recipient’s computer once a malicious link is clicked upon. One example of the Waledac e-card distribution scam was a valentine’s message, with the subject line “A Valentine Ecard Notificaiton,” which was found to spread the MS AntiSpyware 2009 rogue anti-spyware application. Recent discoveries have confirmed that the Conficker Worm variant, Conficker.E, distributes Waledac.

Type: Worms

Aliases: TROJ_GENETIK.TI (Trend)
, WORM_WALEDAC.C (Trend)
, WORM_WALEDAC.AB (Trend)
, WORM_WALEDAC.AS (Trend)
, WORM_WALEDAC.AI (Trend)
, WORM_WALEDAC.ED (Trend)
, WORM_WALEDAC.CRV (Trend)
, WORM_WALEDAC.BK (Trend)
, Win32/Waledac.AJ (Computer Associates)
, Win32/Waledac.Z (Computer Associates)
, W32/Waled-Q (Sophos)
, Troj/Waled-AB (Sophos)
, W32/Waled-AF (Sophos)
, Mal/WaledPak-B (Sophos)
, W32/Waled-R (Sophos)
, Troj/Waled-U (Sophos)
, Troj/Waled-C (Sophos)
, W32/Waled-AW (Sophos)
, Mal/WaledPak-D (Sophos)
, W32/Waled-Z (Sophos)
, Email-Worm:W32/Waledac.A (F-Secure)
, Trojan:W32/Waledac.A (F-Secure)
, Iksmas.A.worm (Panda Software)
, W32/Waledac.AX (Panda Software).

Automatic Detection of W32.Waledac

 
 

Download SpyHunter’s Detection Scanner
to Detect W32.Waledac.

 
 

W32.Waledac Technical Report

As new W32.Waledac details are reported by our customers and findings from our Threat Research Center, we will update this section.

The following W32.Waledac files with its MD5s were created in the system:

File Name File Size MD5
baracknews[1].exe 218646 32f6c73e23d78f2887ea6152f392e743
baracknews[1].exe 395776 e32bd572f87625db9df7359af571c06e
install[1].exe 408576 14d2afbd1f173e51219a0f24813e918a
yPjX.exe 415232 82008273fc6eff975e0cf3bfc0e2396f
s[1].exe 414208 02782ddfbd851ce17c68dce078dde190
print[1].exe 410112 64e984f1e15e7b1cd8f2365bf81afd7a
save.exe 410112 64e984f1e15e7b1cd8f2365bf81afd7a
run[1].exe 410112 64e984f1e15e7b1cd8f2365bf81afd7a
contact[1].exe 410112 64e984f1e15e7b1cd8f2365bf81afd7a
main[1].exe 410112 64e984f1e15e7b1cd8f2365bf81afd7a
news[1].exe 410112 64e984f1e15e7b1cd8f2365bf81afd7a
svchost.exe 43520 96f27ea15a37577458d2052a69e1c06e
malware.exe 411136 97c82388d297c36121d0ae6710939d35
9782.exe 31232 c81c01a90f4fe0eceb6ac5e0e1d308f6
sever.exe 432128 44fa40faf361470cd2f21b464eecf355
autochk.dll 26624 a5e31506fbeb5324c00388def1383e35
_ex-68.exe 508416 f1f73588ebfba5dcb141377cfb88f357
_ex-08.exe 510976 1914ce58ed53fd5227c716bd88f5f77c
_ex-08.exe 612352 422f91fe5f16bde4fb0d72c264f927df
_ex-08.exe 612352 189144e9eba37940a4b57fd50580b568
_ex-68.exe 637440 500e0b6bf5b49233bd6b31fe59da34ed
_ex-08.exe 402944 d134953a0f9006c5493dd02e0b770d21
_ex-68.exe 508928 93a9afe6d7deebfdddf3fa2400fb789d
_ex-08.exe 511488 e85087ef71d823346129bd43ea83e8e6
_ex-08.exe 615424 5436dfc1c37adf357fc3ee3f04ea4912
_ex-08.exe 614912 45ad659400bb73244b71462584d7e813
_ex-08.exe 400896 97d86e72fb0b27457840e01d991d4024
_ex-08.exe 616448 ec92a96c82a7c0c0345659dbd6bb5783
_ex-08.exe 612864 0f48de79b2480c151211a57d03d3a9df
_ex-08.exe 616960 6a7913f9bc2b3adfa330b2ddfd0ce611
_ex-68.exe 509440 e9690943521735c65b23d5ae955442a6
_ex-68.exe 510464 a2005917d40a85c2e331553a5e82181e
_ex-08.exe 613376 970ffea0667737881845b6c69b37c9cf
_ex-08.exe 615936 ef2d0e09937c64db45d4608ce03ca541
_ex-08.exe 616960 43e4b1614ad203081b78215c56fab213
_ex-08.exe 612864 dac31f5894b06f909374476639e543a5
_ex-68.exe 507904 787c560af3e77c449403949d30dc76bb
_ex-08.exe 401920 40a2416ad85c52364097775204cc212a
_ex-68.exe 398848 a8ef9517765fe18c98f62abf1ebf4a86
_ex-08.exe 617472 bed6aa5629a07d36d11b1b06e9d72a73
_ex-08.exe 613376 dfb5528a47f41b3d3440a0b4424b0c24
_ex-08.exe 400384 cd6d6a6547a9b4c68ddd3a1d9fe23a62
_ex-08.exe 618496 e98f2507798bb1f6fc16a3d8cd2e6eee
_ex-68.exe 399360 fef10b115eec08813112165e5ae87576
_ex-68.exe 168 e5a717ddb0112358b7fce45bd64bf802
_ex-68.exe 401408 c56fd6bc7371f8f0b96c509bba2a2942
_ex-08.exe 400384 c92b3c730474761ab77de108f764a4fe
_ex-08.exe 402432 a1824cd9a5668056fb4a7c6cf20b31a3
785.exe 415232 d4045fac79632ef17cc0fd09b382aa8b
b.exe 452608 10868273a15688d11ccb584653542833
wpv351242765100.exe 428544 b37c22ad3b469b0791ba589b903e3600
wpv451242765100.exe 428544 4d77fc46e767ca764fb7d1485f8dc170
wpv661242765100.exe 420352 a460514e0e6caa4f9fba86dab5939917
wpv841243516707.exe 435712 cd0969b37f2c307eebcdd4690467802d
wpv881243516707.exe 417280 e88d03bf3bf2061a9ca88efa1d5cf99a
785.exe 431104 29c84d8191f2e72a279a39614a200a67
system.exe 437248 03d705d326a453cea676452367d8232e
system.exe 628736 510503023ffbe26659c3270eb852fabf
system.exe 628736 8f71fd7723d49d3b6269a121a52ee449
_ex-68.exe 496640 58ea55b534a0e81d866c3e0f884d9d66
_ex-68.exe 512000 77830651e698a64e9a8cbc3bb6f35b41
_ex-68.exe 665600 1b87be7b157aa4041492715fcf623a79
_ex-68.exe 642560 a53218ca4d10e9ac35d8247f733c3dfe
_ex-68.exe 642560 1e878cdd95d3fb0efeb379b45e1f8dfc
_ex-68.exe 642048 1c3f49e50beb78fca3446e6752261e11
_ex-68.exe 642560 0ecf32e40ce0e8bc0f769e2911072c23
_ex-68.exe 642560 75b4993f1bc7c22517c599108fd100b9
_ex-68.exe 642560 71e4abc18e6f12ec1a0d564d814672e1
_ex-68.exe 642048 a8079767ed78e08e7923f1d889c31939
_ex-68.exe 642048 b735650888bda9c358455361d10f5bb0
_ex-68.exe 642048 fc5b45ce6f06c0077787bfec0cd8d0ee
_ex-68.exe 642560 1b68d2fa459edbd9d1edaff7ac617262
_ex-68.exe 642560 900f38208ed7318bd5160d0fb78a8643
_ex-68.exe 642560 04daabeb04eb99019f568b2658483ef3
_ex-68.exe 642560 9ca7fb1b04440ad6d096de88aa1f0af6
_ex-68.exe 642560 721726054a154cfd5779142b8d352189
_ex-68.exe 642560 a99d83a896a7059fe3d88d2934f86cf4
_ex-68.exe 398848 424e0f7fec2aa7c36077924d9d3e3d76
_ex-68.exe 398336 1a9ef15189a992d573881a9ad7ea3ae0
_ex-68.exe 398336 1afb741d6b897a84b4e5af4e393ba4b2
_ex-68.exe 398848 37a9cfa8581df1efe62243e43b327a28
wpv311228474072.cpx 377856 d4bcb347777fbe38f9fc18a7be89000a
_ex-08.exe 612864 7f6837955ed2382660ab5ac57c46b53a
_ex-08.exe 620544 cd94a155ba6e0390fc0b2f816adc08aa
_ex-08.exe 402432 f5b28589135a6ec76b0e996edc6875c5
_ex-08.exe 411136 1d31bd625fb46438b3aaec25d83ef387
_ex-08.exe 614912 34ae4668425b90edeea61e705c64482e
msauc.exe 141824 3584271c754c867d9f3ec39c68973c23
_ex-08.exe 612864 e0f07e6770bbeed5399b7ed5ee1f2b3c
_ex-08.exe 613376 b745aa0acb6e9f914f1458667a16c62d
_ex-08.exe 624640 843bacff6a2849a7408e5200bb6d5929
_ex-08.exe 627200 7fccdb45dde93fa8ff69f43bda8dc9c2
_ex-08.exe 399360 eb9c6409440c826738b93aac08f7d23b
_ex-08.exe 623104 7fd0b5b402d4e49ba3b6e5fcbb485ca9
_ex-08.exe 401408 4b8327b0a8fd307ef5a29a2648fe8d30
_ex-08.exe 617472 26b81552829a1d57c401f6ae4659f82b
_ex-08.exe 623616 927ea333fb44bdac1d27ba2255b92819
_ex-08.exe 622080 eeabc3005bcd97d00bd3a2e0ef786c80
_ex-08.exe 409088 f4e6ff7ace3cb0516d71776baa98c3da
_ex-08.exe 612864 26b82e80b58750140993c1d8ba1790e3
_ex-08.exe 1382464 92ca0cb202372a0e2f90faf3d83eea70
_ex-08.exe 613888 37d11357112f0824ccc98f13f4775627
_ex-08.exe 613888 6f3e7706410cdfd882148a269859c8a1
_ex-08.exe 616448 953a43fb4d45c8835eb6e792a5633647
_ex-08.exe 410112 085cf6adab20e3edffca35cda872d638
_ex-68.exe 495616 4024e59dc7c0b01a1f01e1abd58aeb5f
_ex-08.exe 411648 892b5465c838265628aa96ea89f60ea7
_ex-08.exe 613888 8f6a9d2890ca2160b540a9e6ac0f105f
_ex-08.exe 763904 b7e92ead135baf8fca08ecf7a2779cc6
_ex-08.exe 398336 e671d6459e6129fdc12fc943abd0f5c3
_ex-08.exe 399360 da6781c1e8902002de7c7646e95b0b16
_ex-08.exe 407552 11d1d1e1d37b5b14a1265ce8e331e237
_ex-68.exe 498688 26d67d2094bd3e05dc3c0678e828b52c
_ex-08.exe 399872 9986d35cc95f887ced6b984f40480428
_ex-08.exe 408576 224f038fe2f76633f9d55385d368b57c
_ex-08.exe 399872 464b3ead856d830484189e0c1ee9ed47
_ex-08.exe 518144 e0e9572d25b532177a3ec4fc86a55d1f
_ex-08.exe 518144 8fcf511f7958508de7901de20b8ef674
_ex-08.exe 520192 c6a02a80fb829af994f199317d818aa9
_ex-08.exe 519168 e3c62d9ff977fe840f97f28eb1c1367a
_ex-08.exe 530944 8b97ffca48a74c5fee682d684f3f0524
_ex-08.exe 529920 eafc4a98adb8100e12e69649e972f1a9
_ex-08.exe 529920 8ecd46f3f4563b5ba6916889fdc744be
_ex-08.exe 530944 d8f128d547eec119713602797312a194
_ex-08.exe 531968 81d98cafbf6e65d73777a79fbfccf8d1
_ex-08.exe 526336 801f7631f7641acb3e99251cc58d5af8
_ex-08.exe 517632 6fc6c72bd6ceb4995551cf205b7d372b
_ex-08.exe 527360 dfa527e8a6cab7828827cf8e35ac8994
_ex-08.exe 524800 46f87b7bfa84b6636362bb6138f6b37d
_ex-08.exe 525312 24cc2650a98dd09b798e6639bad8a3ea
_ex-08.exe 516096 e9c5e81cc7d04ee50b21f5b37088ce11
_ex-08.exe 515584 e9f80395238a8b1c415acfd2c09b5f48
_ex-08.exe 510464 33bcebbb86f8900371ba08a98d22e8fa
_ex-08.exe 400896 0c89e89e25fff5b727f7c1fc6c8e39db
_ex-08.exe 512512 366285f8603045294dae1509cb1bb4f9
_ex-08.exe 510464 8b924249b84acfc19fbf81196f4fb115
_ex-08.exe 401408 55f9164689603a119a5181360b0e33f1
_ex-08.exe 402432 833b10c82b06aae74ef5757c5c9edf26
_ex-08.exe 614912 6e860ef461c5708ea820103f190705f4
_ex-08.exe 615936 7ca195f098128302c6d0db35c07bb903
_ex-08.exe 542720 0e1c7c1e4d1809d41b666cffddfe8787
_ex-08.exe 518656 54724f4f210f9d3c32c9418ea1a597b5
_ex-68.exe 507904 029ff8cc9b7d8a9d7f2d1bef223b8ab0
_ex-08.exe 411648 d03e780ba25b476d38885e86cad4d117
_ex-08.exe 530432 b33d7eab6ab887c9427724a815d9fe89
_ex-08.exe 527360 c95416c914b8a89f669f2f044fbd9d39
_ex-08.exe 414208 d352e430c71fb46a31108e65efe01fb3
_ex-08.exe 403968 e9508734ce79025dc0f5c317a2e7ec1f
_ex-08.exe 401920 36907b5c86ef7388af503d23874682ba
_ex-08.exe 529408 2b3cee7f319fe3e1dfced7ee6ba05d1a
_ex-08.exe 414208 84799ed0c29c9ec3db31ebdb45766179
_ex-08.exe 413696 32b9b3c04357f05afe6359085370c6ec
_ex-08.exe 403968 ff6be6eb4598d038c02274506c4bd12f
_ex-08.exe 403456 b5a3a81a1d348594da95db6394711c08
_ex-08.exe 413696 63d2b33668a4fbaa105f3fb2f8095c8c
_ex-08.exe 406016 0f8e8e4903df35c7b0d0b752f6905536
_ex-08.exe 405504 49628083a790d11676e6c9f39f4e8e1c
_ex-08.exe 414208 e048ebc474701364ef8bff33e259f491
_ex-08.exe 418816 be448955bbabe92d91a89495e9dafd4b
_ex-08.exe 406016 f577d88e6b306b33c417783eb79f40f6
_ex-08.exe 404992 c68c158ade29b044b0163f24929108f4
_ex-08.exe 415232 38cbf4166f9a377ce7ec6282fc2ccd10
_ex-08.exe 410112 294820806417b6415a9bce140a6fb012
_ex-08.exe 419840 1e9b3b3821dd80e2a49351d476bec560
_ex-08.exe 419840 95d25cb3668ec6e224d4f7585f8e573c
_ex-08.exe 419328 19d0490012aa889e9180e41bfc6ce300
_ex-08.exe 420352 ffa36aef3ba8d95bfece067c25e9906e
_ex-08.exe 419328 d25a52c1cd97f5531508374706a4fcc8
_ex-08.exe 419840 5bcd3b94f95560d07f73d2fe8ce448bd
_ex-08.exe 410624 59f8ad171a22dd232b543dc893ef1353
_ex-08.exe 419328 575d5449cb612e300e8ceb602e14cec2
_ex-08.exe 419840 c7928f85bcbfa930061530ef01a83c96
sam.exe.exe 391168 cea1c8dd332a40a0cc5339ef10e049bc
BN19.tmp 416768 cd71b60f3743fb3240e55c2c5af18eb7
wpv011242765100.exe 428544 5f241ed13aea68f307f397bb3f8b49a7
wpv631242765100.exe 418816 eb4bd778243877b4a82e2cc1165f1bdc
wpv601242765100.exe 428032 83b2b2ee6a253d28eda5fbad93920823
wpv291243516707.exe 415744 4c3c282b76551bf159ebcce6a500717e
_ex-68.exe 512000 9bd0a12a29ebd02dad4d268946cf5194
_ex-68.exe 642048 ca5daaf48ebfc6887f6e24c7d4ec9f2e
_ex-68.exe 397824 314ea743298aa0fa89bd6a60cefec312
_ex-68.exe 642048 0f77b427e2163e52cdb723e9eb0a024f
_ex-08.exe 613888 8cb5500d88fd13a8d018416d28512196
_ex-68.exe 398848 f103092e7771d535fcc79dc52424d7e9
_ex-68.exe 400384 a86e853532c0c6d775c26b7991748cba
_ex-08.exe 410112 4058dc968fa01128629c8d61952d06b2
_ex-08.exe 419840 50e42c3dd7647ec544515ef52856bd44
_ex-08.exe 414208 be3d6526d0db2f5d947b7fb9600043f0
_ex-08.exe 404480 27686b39908882d11f24a438f5af38d1

W32.Waledac has typically the following processes in memory:

  • %SYSTEMROOT%\system32\9782.exe
  • msauc.exe
  • %SYSTEMROOT%\system32\drivers\svchost.exe
  • _ex-08.exe
  • %USERPROFILE%\LOCALS~1\Temp\yPjX.exe
  • _ex-68.exe
  • sam.exe.exe

W32.Waledac creates the following registry entries:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\”MyID” = “[HEXADECIMAL DIGITS]“
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\”RList” = “[HEXADECIMAL DIGITS]”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”PromoReg” = “[PATH TO THREAT FILE]”

Important Article Disclaimer

article disclaimer
ESG Support Center

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Furl
  • StumbleUpon
  • Technorati
  • YahooMyWeb
This entry was posted on 01/24/09 and is filed under Worms. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Comment

Note: Abusive comments are not allowed. Please do not post comments regarding technical support issues. ESG customers that have issues with SpyHunter should open a customer support ticket.

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word

Top Malware

Recommended Products

Featured Videos

Poll

How much money have you spent trying to rid your PC of spyware?
View Results

Recent Articles

Top FAQs


Archives

Home Sitemap RSS Feed Privacy Policy End User License Agreement Copyright 2003-2009. Enigma Software Group USA, LLC. All Rights Reserved.