I-Worm.Wallon
Details
I-Worm.Wallon.a
Wallon is an internet worm that spreads via emails containing links to an infected websites.
The infected emails contain the following link:
A screenshot of the infected message follows:
When users click on the link an Internet Explorer vulnerability allows a script Trojan to be executed.
This Trojan extracts a downloader (about 36 KB, packed with ASPack) from itself which overwrites the wmplayer.exe file.
The downloader then downloads the main body of Wallon and installs it in the C drive root directory under the name alpha.exe. Wallon then changes the Internet Explorer home page to www.google.com.super-fast-search.apsua.com and creates its own toolbar in Explorer.
The main component of Wallon is a PE file about 150 KB in size, written in Delphi and packed by ASPack.
during installation Walon creates the following system registry keys:
[HKCU\SOFTWARE\Microsoft\Internet Explorer\Main]
“Wh” = ?
Wallon then scans this key and depending on the values attempts to open www.pixpox.com. In this case, Wallon is acting as a clicker for this site, improving visitor statistics.
Wallon also sends infected emails to all addresses in the local MS Outlook address book using the indicated SMTP server.
Related Posts