Submission Summary:

• Submission details:
• Submission received: 25 February 2009, 14:56:24
• Processing time: 6 min 42 sec
• Submitted sample:
• File MD5: 0xD0C6D8E67170AB90AACB101CCBAA9C21
• File SHA-1: 0x54D32441998B3D1F6F79E406AF1AE8D9D850A368
• Filesize: 429,057 bytes
• Alias:
• W32.Waledac [Symantec]
• Packed.Win32.Krap.i [Kaspersky Lab]
• W32/Waledac.gen.e [McAfee]
• Mal/WaledPak-B, Mal/WaledPak-A [Sophos]
• Trojan.Win32.Waledac [Ikarus]

• Summary of the findings:

What's been found	Severity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Contains characteristics of Waledac, a worm that spreads by sending an email containing links to copies of itself.
Creates a startup registry entry.

Technical Details:

File System Modifications

• The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	429,057 bytes	MD5: 0xD0C6D8E67170AB90AACB101CCBAA9C21 SHA-1: 0x54D32441998B3D1F6F79E406AF1AE8D9D850A368	W32.Waledac [Symantec] Packed.Win32.Krap.i [Kaspersky Lab] W32/Waledac.gen.e [McAfee] Mal/WaledPak-B, Mal/WaledPak-A [Sophos] Trojan.Win32.Waledac [Ikarus]

Memory Modifications

• There was a new process created in the system:

Registry Modifications

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• PromoReg = "[file and pathname of the sample #1]"

so that [file and pathname of the sample #1] runs every time Windows starts

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion]
• RList = 79 B0 F4 70 E0 7A EF 60 08 8C 8A 0C 5E C0 4E 8A 81 44 E3 8D 29 D9 3D 24 D2 1D E7 B7 8A 2B FB 4D EA 72 24 A6 81 F3 78 D4 82 83 05 93 69 44 CA AE A3 43 31 47 E5 45 97 29 23 DF 96 00 30 32 77 FD 7B 53 F2 CB 3B C1 B1 E0 6F ED B7 16 F7 17 59 4D 06 E1 B6 1
• MyID = 43 35 B7 2B EF 6F 7F 7C 5B 1B 8E 40 4C 1D 01 6D

Other details

• The following port was open in the system: