My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Wallon.A@mm

LOW
MEDIUM
36,352 bytes, 150,528 bytes
(Win32/Wallon.Worm | I-Worm.Wallon | WORM_WALLON.A | Win32.HLLW.Wallon.A)

Symptoms

- Presence of the following files:

wmplayer.exe has 36,352 bytes (usual location: C:\Program Files\Windows Media Player\wmplayer.exe)

C:\alpha.exe (150,528 bytes)


- Presence of the next registry keys or entries:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B1}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B2}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B3}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B4}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B5}]

Removal instructions:

- automatic removal: let BitDefender delete/disinfect files found infected.

Analyzed By

Patrik Vicol BitDefender Virus Researcher

Technical Description:

This worm exploits two vulnerabilities: the ADODB.Stream object vulnerabilty in ActiveX and an URL obfuscation vulnerability in Internet Explorer

Recommended updates:
http://www.microsoft.com/technet/security/bulletin/MS04-004.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx

This worm comes by e-mail, has no attachment, but the body contains a link that apparently points to:

http://drs.yahoo.com/???????????/NEWS/

where ??????????? may be a valid domain.

Once the user has clicked on the false link, the ADODB.Stream exploit in a CHM file will download an executable file from the Internet (a downloader and hijacker) overwriting wmplayer.exe with it and will also execute the new downloaded file.
The downloader component will hijack the Internet Explorer start page and default search with:

http://www.google.com.super-fast-search.apsua.com/fast-find.htm
http://www.google.com.super-fast-search.apsua.com/search.htm

And will also create 5 buttons in Internet Explorer (named SEARCH, ENTERTAINMENT, PILLS, SECURITY, SEARCH) using the following registry entries:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B1}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B2}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B3}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B4}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B5}]

pointing to:

http://www.google.com.super-fast-search.apsua.com/find.htm
http://www.google.com.super-fast-search.apsua.com/av.htm
http://www.google.com.super-fast-search.apsua.com/med.htm
http://www.google.com.super-fast-search.apsua.com/check.htm
http://www.google.com.super-fast-search.apsua.com

Next, it attempts to download from internet and execute another file, to c:/alpha.exe (150,528 bytes)
Once run, alpha.exe attempts to find e-mail addresses and sends an e-mail like the one described above.

Note: this worm appears to be part of a scam, involving a dialer and also using various distribution languages.