Published: February 09 2009, 09:07 PM
by Mary Grace Gabriel

We received some new spam emails from Win32/Waledac:

Spam emails could have the following subject lines:

• <sender name> has sent you a Valentine’s Day E-Card!
• A Valentine’s Day E-Card from <sender name>
• Greetings from <sender name>

Clicking on the link leads the user to a seemingly cuddly website like this one:

Looking at the website’s source code, we can see that clicking on the image runs an executable:

Currently, the trojan executables are being delivered from these websites:

adorelyric.com
adorepoem.com
adoresong.com
adoresongs.com
bestadore.com
bestlovehelp.com
bestlovelong.com
chatloveonline.com
cherishletter.com
cherishpoems.com
funloveonline.com
lovecentralonline.com
lovelifeportal.com
orldlovelife.com
romanticsloving.com
whocherish.com
worldlovelife.com
worshiplove.com
youradore.com
yourdatabank.com
yourgreatlove.com
yourteamdoc.com

with the following filenames:

Card.exe
cardviewer.exe
devkit.exe
download.exe
ecard.exe
install.exe
lovecard.exe
lovekit.exe
Loveu.exe
Luv.exe
Programm.exe
vcard.exe
viewer.exe

CA detects these files as Win32/Waledac.AJ.

Once running, Waledac may also download a file that appears to be a harmless .JPG (pictured below), but actually comes embedded with a malicious executable that we detect as a Win32/SillyDl trojan.

For more information on Win32/Waledac.AJ, please see the full analysis in our encyclopedia:
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77663 

And remember to keep away from these websites, in addition to always updating your security product’s signatures.

Till next time!

Thanks to Meths Ferrer and Zarestel Ferrer for their assistance.

Share this post:  Email

Share