Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Waledac – Guess which one is for you?

Created: 23 Jan 2009 18:59:56 GMT • Updated: 23 Jan 2014 18:37:59 GMT
Peter Coogan's picture
0 0 Votes
Login to vote

With President Obama's inauguration being over, and with Valentine’s Day approaching, it’s no surprise that the Waledac gang have changed their theme to one of love. The Web page shown below is now appearing on some well-known W32.Waledac sites:

At the moment, a file (with the MD5 checksum 35b48da0e6ccfe75443f5f727a8f400a) is being distributed from these sites using one of the file names listed below. Symantec detects these files as W32.Waledac.


Now, if you read computer security blogs on a regular basis, you are probably thinking that this all sounds very familiar. Well, you wouldn’t be wrong. Trojan.Peacomm (a.k.a. Storm bot) used very similar social engineering tactics, which we blogged about back in February 2008. When we take a look at the image below, which was used last year by Storm in one of their Valentine’s Day spam runs, you can see some similarities:

This is not the first time that a comparison between Waledac and Storm has been made. The binaries and method of communication have been found to be different, but the tactics used to spread these threats are very similar. At this stage, Waledac is nowhere near the size the Storm bot managed to grow to. However, these are possibly early days for Waledac and with it using similar tactics that helped Storm grow into such a large threat, it has some potential for further growth.

The following are examples of the spam emails being sent to spread W32.Waledac:

Subject: Me and You
Message body: Lucky to have you hxxp://


Subject: Together forever
Message body: I Love You hxxp://

Subject: Deep in my heart
Message body: Only you hxxp://zfy.goodnews<removed>.com/?id=0a99<removed>bd1503eb2

Subject: Madly in love
Message body: In your arms hxxp://<removed><removed>ca2c

Subject: Here in my heart
Message body: Heart Pump hxxp://gcxho.worldnews<removed>.com/?cardnum=<removed>9d6

Subject: Can't forget you
Message body: I'll never stope loving you hxxp://cbibho.wapcity<removed>.com/?id=7<removed>ca

As always, Symantec recommends that you don't click on any links in email from unknown or untrusted sources. Use caution when visiting websites that are offering deals that are too good to be true, because they probably are. When you are looking for retail products for a holiday purchase, please visit reputable websites offered by legitimate companies.