1

Waledac birdie_a.exe, birdie_b.exe, corvus_b.exe, william_a.exe Mixed in with FakeAv Download Scheme

We may be seeing the stirrings of yet another Waledac distribution. Servers at 95.211.8.215 and 95.211.8.161 have been serving up a number of unusually named files since the 20th that appear to maintain not only the common Waledac unpacking stub, but some of the classic characteristics of the Waledac trojan/worm — the email/spam engine, AES encrypted/bzip2 compressed P2P peering listing, DDoS capabilities, http C&C contact, email harvester, and credential stealing functionality. Along with the FakeAv downloads coming from these servers, these executables may be a variant on the spambot. We’ll update this post with more information as we more accurately identify the malware.

Update: Some of the files definitely are Waledac spam/dos bots, with encoded command and control communications retrieved from http://cismosis. com/up21.php (there are others), as evidenced here:

AV detection is surprisingly low for these executables, be sure to add a layer of behavioral protection to your system with ThreatFire.

This entry was posted in The Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>