Trojan:W32/Waledac.A

Installation

• A Christmas card from a friend
• A special card just for you A special card just for you, Christmas Ecard Notification Notification Christmas Ecard, Christmas Ecard Special Delivery Special Delivery Christmas Ecard, Christmas Wishes! Christmas Wishes!
• Christmas card for you Christmas card for you, Christmas greetings e-card is waiting for you Christmas greetings e-card is waiting for you, Christmas greetings for you Christmas greetings for you, Christmas greetings from your friend Christmas greetings from your friend, Greeting for you! Greeting for you!
• Happy Christmas! Happy Christmas!
• Have a warm an lovely Christmas! Have a lovely warm an Christmas!
• I made an Ecard for U! I made an Ecard for U!
• I sent you the ecard I sent you the ecard .Joyful Christmas! Joyful Christmas!
• Merry Christmas 'N Happy New Year! Merry Christmas' N Happy New Year!
• Merry Christmas 2009! Merry Christmas 2009!
• Merry Christmas To You! Merry Christmas To You!
• Merry Christmas card for you! Merry Christmas card for you!
• Merry Christmas e-card is waiting for you Merry Christmas e-card is waiting for you, Merry Christmas greetings for you Merry Christmas greetings for you, Merry Christmas wishes just for you Merry Christmas wishes just for you, Merry Christmas! Merry Christmas!
• Merry Xmas! Merry Xmas!
• Warmest Wishes For Christmas! Warmest Wishes For Christmas!
• Wish You A Merry Christmas! Wish You A Merry Christmas!
• Xmas card for you Xmas card for you
• Xmas card is waiting for you Xmas card is waiting for you, You Have An E-card Waiting For You! You Have An E-Card Waiting For You!
• You Received an Ecard. You Received an Ecard.
• You have a Christmas Greeting! You have a Christmas Greeting!
• You have a greeting card, You have a greeting card, You have received a Christmas E-card You have received a Christmas e-card, You have received a Christmas greetings card You have received a Christmas card greetings, You have received an E-card You have received an E-card, You've got a Christmas E-card You've got a Christmas e-card, You've got a Christmas greetings card You've got a Christmas card greetings, You've got a Merry Christmas E-card You've got a Merry Christmas E-card, You've got a Merry Christmas greeting card You've got a Merry Christmas greeting card, You've got a Xmas e-card You've got a Xmas e-card, You've got an e-card You've got an e-card

Propagation

• .avi
• .mov
• .wmv
• .mp3
• .wave
• .wav
• .wma
• .ogg
• .vob
• .jpg
• .jpeg
• .gif
• .bmp
• .exe
• .dll
• .ocx
• .class
• .msi
• .zip
• .7z
• .rar
• .jar
• .gz
• .hxw
• .hxh
• .hxn
• .hxd

Data Stealing

• 116.122.25.144
• 116.16.203.123
• 116.254.87.118
• 116.73.41.45
• 116.74.181.12
• 118.101.212.97
• 118.39.80.191
• 119.1.16.8
• 119.154.9.151
• 119.99.195.58
• 121.243.167.55
• 124.115.101.170
• 124.13.227.4
• 124.21.244.186
• 124.79.29.116
• 125.163.244.92
• 125.36.151.115
• 125.41.87.82
• 125.45.67.194
• 148.245.125.199
• 151.33.215.0
• 165.194.27.11
• 189.41.17.132
• 189.41.30.130
• 189.42.164.145
• 194.120.84.9
• 199.203.64.235
• 200.120.152.186
• 200.125.92.244
• 200.165.243.185
• 200.55.160.124
• 200.82.185.119
• 201.212.68.161
• 201.216.3.229
• 201.231.145.111
• 201.27.196.253
• 201.79.228.217
• 209.83.88.3
• 209.87.251.55
• 210.119.19.61
• 212.69.49.12
• 213.66.99.225
• 217.129.86.162
• 217.26.165.146
• 220.224.231.73
• 221.223.130.74
• 24.116.119.157
• 24.209.2.161
• 24.222.92.246
• 24.24.186.141
• 24.82.3.140
• 60.218.245.51
• 60.31.94.54
• 61.102.212.18
• 61.238.16.83
• 64.184.89.202
• 68.41.238.247
• 68.91.129.102
• 69.37.168.16
• 70.61.170.203
• 71.121.79.208
• 72.177.194.167
• 72.24.203.145
• 72.241.49.144
• 72.38.168.67
• 76.124.149.22
• 76.25.195.117
• 76.89.100.221
• 76.9.39.158
• 77.109.39.105
• 77.252.98.96
• 77.29.194.238
• 77.65.140.248
• 77.81.248.158
• 80.117.119.193
• 80.183.57.117
• 80.232.245.52
• 80.66.240.179
• 81.111.41.240
• 81.172.96.184
• 81.18.72.138
• 81.184.102.33
• 81.31.167.5
• 81.31.183.214
• 81.84.31.144
• 82.154.44.107
• 82.233.183.147
• 82.56.63.197
• 82.61.43.115
• 82.78.142.146
• 83.131.228.111
• 83.132.209.172
• 83.191.233.15
• 83.31.140.66
• 84.109.6.14
• 84.122.132.201
• 84.125.99.94
• 84.16.228.132
• 84.228.137.182
• 84.237.134.103
• 84.26.190.246
• 84.3.93.129
• 85.130.29.52
• 85.130.30.117
• 85.133.206.120
• 85.152.62.104
• 85.185.119.42
• 85.196.183.244
• 85.201.43.175
• 85.232.254.214
• 85.255.109.83
• 85.64.79.166
• 86.100.217.214
• 86.107.149.138
• 86.126.20.9
• 86.126.37.96
• 86.4.67.129
• 86.66.131.160
• 87.110.51.157
• 87.16.10.84
• 87.5.40.197
• 87.67.94.212
• 87.69.73.78
• 87.69.83.37
• 87.97.40.218
• 88.148.101.139
• 88.160.7.118
• 88.222.201.105
• 89.1.27.149
• 89.138.89.17
• 89.141.52.164
• 89.160.77.132
• 89.165.120.134
• 89.165.68.177
• 89.165.78.95
• 89.39.168.174
• 89.45.136.200
• 89.74.204.108
• 89.75.11.4
• 89.77.53.132
• 92.112.248.195
• 92.249.152.117
• 93.126.72.83
• 93.172.160.70
• 93.177.144.51
• 98.197.170.70
• 98.221.243.14
• 99.144.153.58
• 99.236.47.238
• 99.244.169.127

Registry Modifications

• [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\] PromoReg = %ExecutablePath%

• [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion] RList = %HexadecimalValue%
• [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion] MyID = %HexadecimalValue%