W32.Waledac.B

5 January 2011 Rogue 0 Comment

W32.Waledac.B is a dangerous computer worm that will propagate by using the infected computer as mass-sender of emails containing malicious links. W32.Waledac.B also gathers contact information from the compromised system and sends spam messages or holiday greeting cards that are part of a botnet operation. This worm may also download additional threats from a remote server.

Alias: BKDR_KELIHOS.K, WORM_KELIHOS.SM  

Damage Level: High

Systems Affected: Windows 9x, 2000, XP, Windows Vista

Characteristics

• The worm will allow a remote attacker to gain access on infected system through TCP port 80 and UDP port 445.
• It also connects to specified IP addresses and updates itself.

Distribution
W32.Waledac.B is spread through spam email messages as holiday greeting cards. This message contains a malicious link. Upon execution, the worm will gather email address on the infected system and mass-mail a copy of the same infection. Some sample email messages are as follows:

Subject: Cordelia sent you New Year Wishes!
Message:
Cordelia sent a New Year card.
View the card by clicking: [malicious URL] Your eCard will be available for the next 20 days.

Subject: Happy New Year 2011!
Message:
Saul mailed an Online greeting card.
To pick up your greeting card, click on the following link:
[malicious URL] Your eCard will be available with us for the next 30 days.

Added Registry Entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"SmartIndex" = "[PATH TO WORM]"
HKEY_CURRENT_USER\Software\Google\"ID" = "[HEXADECIMAL DIGITS]"
HKEY_CURRENT_USER\Software\Google\"ID2" = "[HEXADECIMAL DIGITS]"
HKEY_CURRENT_USER\Software\Google\"ID3" = "[HEXADECIMAL DIGITS]"\mswsock32.dll"

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To be able to identify even the most recent variant of W32.Waledac.B, open your antivirus application and update the virus definition file.

3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.

4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete, please proceed with the next step.

Scan with Norton Power Eraser:

Additional virus removal tool like Norton Power Eraser provides deep scanning technology to eliminate other threats not detected by a normal virus scan. Use this tool with extra caution.

5. Go to this link and download Norton Power Eraser.
6. Once the download completes, double click on the file NPE.exe to run the program.
7. It will prompt for End User License Agreement, click on Accept to continue.
8. On NPE main window, click on Scan. Then select Exclude Rootkit Scan. Click on Continue to proceed.
9. Virus scanning may take some time. After running the scan, NPE will display the scan result.

Important! If there are any detected threats under Suspicious, remove the check mark. Only threats in Detected category are necessary to remove at this point. Make sure that you mark the Create System Restore Point before proceeding with the fix.

10. Now click on Fix to start removing the threats including W32.Waledac.B remnants if there are any.
11. When done, Norton Power Eraser will restart the computer. Then after a reboot, it will initialize and display the eliminated threats.
12. You may now close Norton Power Eraser.