|
|
I-Worm.Wallon. Viruses Information
| Name: |
I-Worm.Wallon. |
| Category: |
Viruses |
| Description:
|
Details
I-Worm.Wallon.a
Wallon is an internet worm that spreads via emails containing links to an infected websites.
The infected emails contain the following link:
A screenshot of the infected message follows:
When users click on the link an Internet Explorer vulnerability allows a script Trojan to be executed.
This Trojan extracts a downloader (about 36 KB, packed with ASPack) from itself which overwrites the wmplayer.exe file.
The downloader then downloads the main body of Wallon and installs it in the C drive root directory under the name alpha.exe. Wallon then changes the Internet Explorer home page to www.google.com.super-fast-search.apsua.com and creates its own toolbar in Explorer.
The main component of Wallon is a PE file about 150 KB in size, written in Delphi and packed by ASPack.
during installation Walon creates the following system registry keys:
[HKCUSOFTWAREMicrosoftInternet ExplorerMain]
"Wh" = ?
Wallon then scans this key and depending on the values attempts to open www.pixpox.com. In this case, Wallon is acting as a clicker for this site, improving visitor statistics.
Wallon also sends infected emails to all addresses in the local MS Outlook address book using the indicated SMTP server. |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 72 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win16.Klon.1177 - 42 visits
Win32.Hidra - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
An
Macro.PPoint.ShapeShif
Penza Famil
Kela Famil
Oeur.307
Patras.234
Maus.188
Zi
Stranger.73
Attack.358
|
|
