Published: April 16 2009, 02:36 AM
by Mary Grace Gabriel

Apart from the recent team up with the popular Win32/Conficker worm, as discussed in our recent post, Win32/Waledac has been relatively quiet of late.

April Fool’s Day and Easter have passed, but this culprit was nowhere to be seen. Win32/Waledac is well known for its Social Engineering tactics, using events such as New Year's, and Valentine’s Days as well as a Fake Reuters News article to make its way onto compromised machines.

Once again Win32/Waledac is active, with a new variant sending spam emails encouraging you to download a "Free Trial" application of SMS Spy. It seems that Waledac is trying to help you find out if your partner is cheating on you but the truth is Waledac is the cheat by luring you into downloading a copy of its executable.

[Figure 01 - SMS Spy lookalike page] 

As you can see, the images found on the website that Waledac uses are familiar. It is because the images are from the legitimate site www.spy-sms.com that has nothing to do with the Win32/Waledac trojan or its scam website.

CA detects the malicious executables distributed from this new website as Win32/Waledac.KQ.

Similar to other Win32/Waledac variants, it again uses its old trick; Waledac.KQ downloads a file that appears to be a harmless JPG, but in reality contains an embedded malware executable. The image can regularly change but the one in this previous post has been recycled with this new variant:

[Figure 02 - Recycled Image] 

For more information about the functionality of this family, please visit the Win32/Waledac Family analysis in our encyclopedia:

Always remember to keep away from these websites, in addition to updating your CA security products' signatures.

Till next time…

Share this post:  Email

Share