TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_WALLA.B
Overview
Solution

Malware type: Worm

Aliases: Trojan.Win32.Agent.ahw (Kaspersky), W32/Azzag@MM (McAfee), W32.Huegone@mm (Symantec), TR/Agent.ahw.1 (Avira), W32/Walla-B (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Infection Channel 1 : Propagates via email

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

WORM_WALLA.B Behavior Diagram

Malware Overview

Upon execution, this worm first retrieves a target system's keyboard layout settings, presumably to determine if the language used is Arabic or Persian, indicating a targeted attack on regions using these languages. If the affected system does not conform to the languages, it terminates itself.

It also terminates itself if the current month is September to December and if the current day is not 1.

It usually arrives as an attachment to email messages. It gathers target email addresses from an affected user's Yahoo! Mail and Microsoft Outlook address books. It then sends a copy of itself using a random file name to the email addresses it harvests. The following are the details of the email messages it sends:

Subject: (any of the following)
• About Iran
• About Israel
• About Lebanon
• About the Israeli Intelligence
• All the Truth about the American intelligence
• Amazing
• Big one
• Big shot
• Huge one
• Incredible
• Must see
• Pictures from Gazza
• Pictures from Iraq
• Porno one
• S&m
• Take a look
• Try this
• Unbelievable
• Walla
• WOW

Message body: (any of the following)
• About Iran
• About Israel
• About Lebanon
• About the Israeli Intelligence
• All the Truth about the American intelligence
• Amazing
• Big one
• Big shot
• Huge one
• Incredible
• Must see
• Pictures from Gazza
• Pictures from Iraq
• Porno one
• S&m
• Take a look
• Try this
• Unbelievable
• Walla
• WOW

Attachment: {Random seven characters}.EXE

Moreover, it drops two randomly named .TMP files, which are copies of the legitimate files CMD.EXE and CSCRIPT.EXE, in the Windows Temporary folder. The said files are used to execute two VisualBasic (VB) script files, which are also dropped by this worm. The said VB script files have random file names with TMP extension.

One of the VB script files handles the mass-mailing routine of this worm using Outlook.Application object. The other VB script file terminates active Microsoft Outlook application and disrupts the user from using the said mailing application.

For additional information about this threat, see:
Solution
Technical Details

Description created: Mar. 28, 2007 3:06:30 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.