TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_WALLON.A
Overview
Solution

Malware type: Worm

Aliases: Email-Worm.Win32.Wallon.b (Kaspersky), W32/Wallon.worm.gen (McAfee), W32.Wallon.A@mm (Symantec), Worm/Wallon.B.1 (Avira), W32/Wallon-A (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, NT, ME, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Description: 

This mass-mailing worm uses a known security flaw found in Microsoft Outlook Express, which is the MHTML vulnerability. This vulnerability enables this worm to download files without the user’s knowledge.

For more information about this Windows vulnerability, please refer to the following Web pages:

This worm propagates by sending an HTML-based email message that contains a hyperlink in its message body. It gathers its recipients from the local machine's Windows Address Book (WAB), then uses the currently logged on user's email account details for its spammed email.

The email message this worm sends contains the following details:

From: <Account Name>
Subject: Re:
Message body:
http://drs.<BLOCKED>ahoo.com/<domain name>/NEWS

The following is a sample email message this worm sends out:

Sample Message 1

The said hyperlink contains a malicious script, which Trend Micro detects as HTML_WALLON.A.

Once the user clicks on this URL, a series of downloads and remote file executions occurs, which leads to the downloading of a file detected as TROJ_WALLON.A. This malicious file uses the name WMPLAYER.EXE, which effectively overwrites the original Windows Media Player application existing on a system. This file automatically executes and downloads another malicious file, detected as WORM_WALLON.A, from a certian Web site.

This worm may also perform the following actions:

  • Download an adware program
  • Open of multiple Internet connections to an adult Web site
  • Send email notification that contains a list of gathered user names to a specific address.

On its initial execution, it displays the following message box:

alpha OLE error 8004010F.

It runs on Windows 95, 98, NT, ME, 2000, and XP.

For additional information about this threat, see:
Solution
Technical Details

Description created: May. 11, 2004 8:00:50 AM GMT -0800
Description updated: May. 12, 2004 7:11:23 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.