1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Bredolab Executable Download

HTTP Bredolab Executable Download

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects HTTP activity generated from W32.Waledac malware.

Additional Information

W32.Waledac is a worm that spreads by sending an email containing links to copies of itself. It also opens a back door on the compromised computer.

The worm may arrive on the computer as an attachment to spam email or via a link to a malicious Web site.

The email attachment has the following name:
ecard.exe

When the worm executes, it creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"PromoReg" = "[PATH TO THREAT]"

It also creates the following registry entries:

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\"RList" = "[HEXADECIMAL DIGITS]"
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\"MyID" = "[HEXADECIMAL DIGITS]"

Affected

  • Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.

Additional References

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube