Published: January 07 2009, 09:43 PM
by Zarestel Ferrer

If you prefer not to get a nasty surprise with your eCards, avoid Win32/Waledac, as this New Year the trojan is still alive and kicking, with new variants in-the-wild.

Last Christmas season Win32/Waledac was actively propagating via email and malicious websites. We already knew Win32/Waledac was being downloaded by Win32/Kollah variants from mirabellanews.com as an embedded, encrypted object in JPG files.

In addition to that, we also found the website shown below, distributing new samples of Win32/Waledac. We currently detect the new variants as Win32/Waledac.E, Win32/Waledac.F and Win32/Waledac.G.

Using Malzilla, we inspected the site and found out that it is made of one big image, waiting for you to click on it. Below, you can see a screen capture showing the source code behind the webpage. The source reveals that “img.gif” is linked to “card.exe”.

If you happen to execute it on your computer, one easily observable effect is that Waledac can make your system run sluggishly. The capture below depicts the trojan utilizing 100% CPU.

Once running, Win32/Waledac gathers emails addresses stored on your system and sends the information to one of its web servers:

Please watch out for these kinds of malicious websites and be careful what you are clicking on.