1. /
  2. Security Response/
  3. W32.Waledac

W32.Waledac

Risk Level 2: Low

Discovered:
December 23, 2008
Updated:
August 8, 2012 10:11:56 AM
Also Known As:
TROJ_GENETIK.TI [Trend], Email-Worm:W32/Waledac.A [F-Secure], Troj/Waled-C [Sophos], WORM_WALEDAC.C [Trend], WORM_WALEDAC.AB [Trend], WORM_WALEDAC.AS [Trend], Iksmas.A.worm [Panda Software], WORM_WALEDAC.AI [Trend], W32/Waled-Q [Sophos], W32/Waled-R [Sophos], Trojan:W32/Waledac.A [F-Secure], Troj/Waled-U [Sophos], W32/Waled-Z [Sophos], Troj/Waled-AB [Sophos], W32/Waled-AF [Sophos], Win32/Waledac.AJ [Computer Associates], Mal/WaledPak-B [Sophos], WORM_WALEDAC.BK [Trend], W32/Waled-AW [Sophos], Win32/Waledac.Z [Computer Associates], Mal/WaledPak-D [Sophos], WORM_WALEDAC.CRV [Trend], WORM_WALEDAC.ED [Trend], W32/Waledac.AX [Panda Software], WORM_WALEDAC.DU [Trend]
Type:
Worm
Infection Length:
386,560 bytes
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
W32.Waledac is a worm that spreads by sending emails that contain links to copies of itself. It also sends spam, downloads other threats, and operates as part of a botnet.

Infection
W32.Waledac doesn’t spread automatically, sending itself off to other computers in the traditional sense of most worms. Instead, the people behind this threat launch periodic campaigns in order to spread the worm. These generally come in the form of a spam campaign or fake websites and entail some sort of social engineering trick to entice users to perform various actions that result in the threat being installed.

In other situations W32.Waledac comes bundled with, or is downloaded by, other threats. The specific relationship between Waledac and these other threats isn’t always clear, but likely has much to do with the versatility of the threat.


Functionality
W32.Waledac’s primary purpose is to make money. It does this by sending out spam and also by downloading and installing misleading applications. The spam that Waledac sends out appears to be for products tied to less-than-reputable vendors. The misleading applications that may be installed by the threat attempt to trick the user into paying for the applications. In both cases, the people behind Waledac likely make their money by receiving a portion of any profits made through misleading applications or by leasing out bandwidth, for a fee, to send spam.

Waledac also maintains a fairly robust botnet, with protection mechanisms and a decentralized architecture meant to make it difficult to bring down.



GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.






PREVALENCE
Symantec has observed the following infection levels of this threat worldwide.



Antivirus signatures


Antivirus (heuristic/generic)


Intrusion Prevention System

Antivirus Protection Dates

  • Initial Rapid Release version December 23, 2008 revision 002
  • Latest Rapid Release version August 15, 2013 revision 016
  • Initial Daily Certified version December 23, 2008 revision 007
  • Latest Daily Certified version August 15, 2013 revision 022
  • Initial Weekly Certified release date December 24, 2008
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 50 - 999
  • Number of Sites: 0 - 2
  • Geographical Distribution: Medium
  • Threat Containment: Easy
  • Removal: Easy

Damage

  • Damage Level: Medium
  • Payload: Opens a back door on the compromised computer.
  • Large Scale E-mailing: May send spam email.
  • Releases Confidential Info: Attempts to steal information.

Distribution

  • Distribution Level: Low
  • Target of Infection: Spreads by sending links to copies of itself via email.
Writeup By: Ben Nahorney

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver