Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Wallon.A

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload Downloads diallers/adware/malware
Detection files published 10 May 2004 03:00:00
Description created 12 May 2004 02:45:00
Description updated 12 May 2004 02:45:00
Malware type WORM
Alias I-Worm.Wallon
WORM_WALLON.A
W32/Wallon.worm.a
W32.Wallon.A@mm
Spreading mechanism EMAIL
Summary None

W32/Wallon.A

Spreading

When the URL in the email is clicked Wallon.A is downloaded and will overwrite Windows Media Player if it resides in the following locations: C:ProgrammerWindows Media Playerwmplayer.exe C:ProgramWindows Media Playerwmplayer.exe C:ProgrammeWindows Media Playerwmplayer.exe C:ProgrammiWindows Media Playerwmplayer.exe C:ProgramfilerWindows Media Playerwmplayer.exe C:ProgramasWindows Media Playerwmplayer.exe C:Archivos de programaWindows Media Playerwmplayer.exe C:Program FilesWindows Media Playerwmplayer.exe The names of downloaded files vary and may be: de.exe dk.exe es.exe gb.exe gr.exe ie.exe NEWE.CHM newe.exe no.exe not.exe pt.exe sde.exe (dialler) sdk.exe (dialler) ses.exe (dialler) sgb.exe (dialler) sgr.exe (dialler) sie.exe (dialler) sno.exe (dialler) spt.exe (dialler) sys.chm sys.exe sys.exe.old sysde.chm sysde.exe sysdk.chm sysdk.exe syses.chm syses.exe sysgb.chm sysgb.exe sysgr.chm sysgr.exe sysie.chm sysie.exe sysno.chm sysno.exe syspt.chm syspt.exe It is also possible for more than one file to be downloaded and executed. Wallon will create the following registry value, presumably as an infection marker: HKEY_CURRENT_USERSOFTWAREMicrosoftInternet ExplorerMainWh = “yes" The worm will then harvest email addresses from the Windows Address Book and send an HTML mail to all addresses found. The mail will contain a URL in the following format: http://drs.yahoo.com/ Once clicked on the URL is redirected many times until Wallon is downloaded and executed.

Payload Details

Wallon.A will attempt to download and run diallers, adware and other malicious software. It is also possible for Wallon to change the homepage in Internet Explorer or install a browser helper object known as Cool Web Search.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:11