W32.Waledac is a worm that spreads by sending emails that contain links to copies of itself. It also sends spam, downloads other threats, and operates as part of a botnet.
W32.Waledac doesn’t spread automatically, sending itself off to other computers in the traditional sense of most worms. Instead, the people behind this threat launch periodic campaigns in order to spread the worm. These generally come in the form of a spam campaign or fake websites and entail some sort of social engineering trick to entice users to perform various actions that result in the threat being installed.
In other situations W32.Waledac comes bundled with, or is downloaded by, other threats. The specific relationship between Waledac and these other threats isn’t always clear, but likely has much to do with the versatility of the threat.
W32.Waledac’s primary purpose is to make money. It does this by sending out spam and also by downloading and installing misleading applications. The spam that Waledac sends out appears to be for products tied to less-than-reputable vendors. The misleading applications that may be installed by the threat attempt to trick the user into paying for the applications. In both cases, the people behind Waledac likely make their money by receiving a portion of any profits made through misleading applications or by leasing out bandwidth, for a fee, to send spam.
Waledac also maintains a fairly robust botnet, with protection mechanisms and a decentralized architecture meant to make it difficult to bring down.
Symantec has observed the following geographic distribution of this threat.
Symantec has observed the following infection levels of this threat worldwide.
Intrusion Prevention System
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.