Virus Encyclopedia
Welcome to the Virus Encyclopedia of Panda Security.
Waledac.AX | |
Threat Level Damage Distribution |
At a glance
 |
| Common name: | Waledac.AX |
| Technical name: | W32/Waledac.AX.worm |
| Threat level: | Medium |
| Type: | Worm |
| Effects: | It sends spam messages related to pharmaceutical products. It spreads in email messages offering a fake service which allows to read the SMS received in any mobile phone. |
| Affected platforms: | Windows 2003/XP/2000/NT/ME/98/95 |
| First detected on: | April 21, 2009 |
| Detection updated on: | April 21, 2009 |
| Statistics | No |
Brief Description | |
Waledac.AX is a worm which is designed to send spam messages related to pharmaceutical products to the email addresses gathered from the affected computer. Waledac.AX spreads via email in messages that offer a fake service which allows to read the SMS received in any mobile phone. |
Visible Symptoms | |
Waledac.AX is easy to recognize, as it spreads via email in messages that offer a fake service that allows any user to read the SMS received in any mobile phone:
 |
Tech details
Effects |
Waledac.AX carries out the following actions: - It sends spam messages related to pharmaceutical products. It uses any of the following subjects:
Can your health problems be solved
Give you lover new intimate feeling.
Which one of enlarhing products really work?
Healthy news mail.
Imagine, how happy she will be if you take a blue pilule.
Now you can get it up before anyone does!
Your boner will be able to break the concrete walls.
Let your intimate wishes come true.
The following is an example of the spam it sends:
 - If users follow the link included in the message, they are redirected to a website that sells different pharmaceutical products:
 - It looks for email addresses in the affected computer in order to send them spam messages like this.
- It sends this information, encrypted, together with other type of information, such as passwords, in a file with a random name to different IP addresses, so that its creator can access the gathered data.
- It opens several ports in order to receive instructions from its creator, such as to send spam messages or to manage the gathered information.
Infection strategy Waledac.AX creates a copy of itself with a random name and an EXE extension in the directory where it has been run. Waledac.AX creates the following entries in the Windows Registry: - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PromoReg = %path in which it has been run%\%copy of the worm%.exe
By creating this entry, Waledac.AX ensures that it is run whenever Windows is started. - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RList
%random characters% - HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\MyID
%random characters%
|
Means of transmission
Waledac.AX spreads via email in messages that offer a fake service that allows any user to read the SMS received in any mobile phone:
The message contains a link to a malicious website. If the user follows the link, a window will be opened so that the user downloads a file, which belongs to a copy of the worm:
The filenames it uses are variable, but they are usually related to the fake software, such as TRIAL.EXE.
It sends email messages like this to the email addresses it has gathered using its own SMTP engine.
Further Details
Waledac.AX is 420,864 bytes in size and is compressed with UPX.
