"Waledac was already the second version of Storm. The difference this time around is that the botnet has added a malicious element, according to the Palo Alto Networks researchers.
It's no surprise that spammers are upping their game with information-stealing features: Many botnets do a combination of both spamming and more nefarious activities, such as stealing financial information or credentials."
The original Waledac earmarks: see http://www.symantec.....jsp?asid=23304
When the worm executes, it creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"PromoReg" = "[PATH TO THREAT]"
It also creates the following registry entries:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\"RList" = "[HEXADECIMAL DIGITS]"
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\"MyID" = "[HEXADECIMAL DIGITS]"