1. /
  2. Security Response/
  3. W32.Waledac


Risk Level 2: Low

December 23, 2008
August 8, 2012 10:11:56 AM
Also Known As:
TROJ_GENETIK.TI [Trend], Email-Worm:W32/Waledac.A [F-Secure], Troj/Waled-C [Sophos], WORM_WALEDAC.C [Trend], WORM_WALEDAC.AB [Trend], WORM_WALEDAC.AS [Trend], Iksmas.A.worm [Panda Software], WORM_WALEDAC.AI [Trend], W32/Waled-Q [Sophos], W32/Waled-R [Sophos], Trojan:W32/Waledac.A [F-Secure], Troj/Waled-U [Sophos], W32/Waled-Z [Sophos], Troj/Waled-AB [Sophos], W32/Waled-AF [Sophos], Win32/Waledac.AJ [Computer Associates], Mal/WaledPak-B [Sophos], WORM_WALEDAC.BK [Trend], W32/Waled-AW [Sophos], Win32/Waledac.Z [Computer Associates], Mal/WaledPak-D [Sophos], WORM_WALEDAC.CRV [Trend], WORM_WALEDAC.ED [Trend], W32/Waledac.AX [Panda Software], WORM_WALEDAC.DU [Trend]
Infection Length:
386,560 bytes
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
W32.Waledac is a worm that spreads by sending emails that contain links to copies of itself. It also sends spam, downloads other threats, and operates as part of a botnet.

W32.Waledac doesn’t spread automatically, sending itself off to other computers in the traditional sense of most worms. Instead, the people behind this threat launch periodic campaigns in order to spread the worm. These generally come in the form of a spam campaign or fake websites and entail some sort of social engineering trick to entice users to perform various actions that result in the threat being installed.

In other situations W32.Waledac comes bundled with, or is downloaded by, other threats. The specific relationship between Waledac and these other threats isn’t always clear, but likely has much to do with the versatility of the threat.

W32.Waledac’s primary purpose is to make money. It does this by sending out spam and also by downloading and installing misleading applications. The spam that Waledac sends out appears to be for products tied to less-than-reputable vendors. The misleading applications that may be installed by the threat attempt to trick the user into paying for the applications. In both cases, the people behind Waledac likely make their money by receiving a portion of any profits made through misleading applications or by leasing out bandwidth, for a fee, to send spam.

Waledac also maintains a fairly robust botnet, with protection mechanisms and a decentralized architecture meant to make it difficult to bring down.

Symantec has observed the following geographic distribution of this threat.

Symantec has observed the following infection levels of this threat worldwide.

Antivirus signatures

Antivirus (heuristic/generic)

Intrusion Prevention System

Antivirus Protection Dates

  • Initial Rapid Release version December 23, 2008 revision 002
  • Latest Rapid Release version November 15, 2015 revision 018
  • Initial Daily Certified version December 23, 2008 revision 007
  • Latest Daily Certified version November 15, 2015 revision 020
  • Initial Weekly Certified release date December 24, 2008
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Ben Nahorney

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report