Jump to content


New Waledac Variant

  • Please log in to reply
No replies to this topic

#1 cnm


    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 20 February 2012 - 12:09 PM

"Waledac was already the second version of Storm. The difference this time around is that the botnet has added a malicious element, according to the Palo Alto Networks researchers.

It's no surprise that spammers are upping their game with information-stealing features: Many botnets do a combination of both spamming and more nefarious activities, such as stealing financial information or credentials."

The original Waledac earmarks: see http://www.symantec.....jsp?asid=23304

When the worm executes, it creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"PromoReg" = "[PATH TO THREAT]"

It also creates the following registry entries:

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\"RList" = "[HEXADECIMAL DIGITS]"
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\"MyID" = "[HEXADECIMAL DIGITS]"

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here

Member of UNITE
Support SpywareInfo Forum - click the button