New E-holiday Card Virus Surfaces

A new worm has emerged that could be much worse than the notorious Storm worm, which ruled the botnet
world for nearly two years.

Like the Storm worm, the latest worm, which anti-virus vendor ESET calls W32/Waledac,
consists of an e-mail telling recipients they have received an e-holiday card and asking them to click on a link pointing to a file named ecard.exe to read it.

When they do, the link downloads a backdoor that connects to another Web site and downloads information off their PCs, Pierre-Marc Bureau, a researcher at ESET, told

But W32/Waledac’s capabilities go way beyond those of the Storm worm, which took over up to 50 million PCs, according to security experts. Bureau said it uses the OpenSSL open source library and can download and verify cryptographic certificates and communicate with Web servers using the Secure Sockets Layer (SSL) .

“That will let it communicate with the server and send and receive encrypted mail,” Bureau said. This will make it harder for intrusion detection systems on the network to detect it. Users will have to put intrusion detection systems on their workstations, Bureau said.

Unlike the Storm worm, which used C and assembly languages, W32/Waledac uses high-level C++ with standard string libraries compiled with Microsoft (NASDAQ: MSFT) Visual Studio. “It’s higher-level than the Storm worm,” Bureau said.

Like the Storm worm, Waledac uses fast flux DNS , a technology that brings up a new server if the current one is blacklisted by ISPs (Internet service providers) for spamming.

However, W32/Waledac only uses four domain names, and that makes it easy to block out, Bureau said. “The network administrator in an enterprise network just has to block those four names from their DNS servers,” he explained.

W32/Waledac first hit the Web in March, and has only just resurfaced, according to Bureau.

Open Source not always for good guys

It uses the open source UPX packer, a free, portable, extensible, high-performance executable packer distributed under the terms of the GNU General Public License. UPX is very well known and is available freely on the Internet, Bureau said.

A packer is like a Zip file and is used to compress code. Compressing malware makes it harder for lab engineers to deconstruct.

Custom packers are very difficult to open and extract information from, unlike open source packers like UPX, Bureau said. “This shows they might be a bit less professional than the guys who wrote Storm, which was well known for having custom packers which changed every 15 minutes,” he added.

Or, they could have obtained an application that makes it easy to create malware. Cyber criminal gangs release developer kits to get wannabe hackers, also known as script kiddies, to create malware that
will capture the attention of cyber crime fighters, who will then be distracted from fighting more dangerous malware.

Kevin Haley, director of product management at Symantec (NASDAQ: SYMC), said the sites hosting W32/Walendac have been taken down. “Typically, these things don’t stay up for very long,” he told “If you get enough people you don’t have to stay up very long.”

News Around the Web