TrendMicro: As of May 11, 2004, 8:54 AM (GMT -07:00; Daylight Saving Time), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_WALLON.A. TrendLabs has received Several infection reports indicating that this malware is spreading in Germany and EMEA. This mass-mailing worm exploits certain vulnerabilities found on Windows systems. More information about these vulnerabilities can be found on the following Web sites: MS04-004: http://www.microsoft.com/technet/security/bulletin/ms04-004.mspx http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=MS_IE_VULNERABILITIES MS04-013: http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=MS04-013_MS_OUTLOOK_EXPRESS This worm exploits these vulnerabilities in order to download various files into the infected system. For more information on WORM_WALLON.A, you can visit our Web site at: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_WALLON.A
Trend Newsletter Re: WORM_WALLON.A WORM_WALLON.A is a non-destructive, mass-mailing worm that is currently spreading in-the-wild. This worm exploits a vulnerability within Outlook Express that allows downloading of files without the user’s knowledge. It gathers email addresses from the infected user’s Windows Address Book, and uses the email account details of the user who is currently logged on, to send email. The email it sends is an HTML-based email message that redirects users to a Web site that downloads some of the worm’s components into the user’s computer system. This worm runs on Windows 95, 98, ME, 2000, and XP. Information on this vulnerability can be found by visiting Microsoft’s Web site. Upon execution, this worm checks for the existence of a specific registry entry, which serves as the worm’s infection marker. If this entry is not found, the worm displays an error message. While gathering email addresses to send email to, this worm skips email addresses with the following substrings: admin microsoft postmaster software support webmaster Once it has gathered email addresses it sends email using the currently logged on users’ email account details. Once a user clicks on the link specified in the malware’s email, a series of downloads and remote file executions occur. Occasionally this malware attempts to download an adware file. It saves the downloaded file as COOL.EXE in the root directory. If the download is successful, it sleeps for two minutes and executes the downloaded file. This worm then sleeps for thirty minutes and runs a specific CGI script eleven times consecutively, sleeping 10 minutes between each execution. It then executes the file COOL.EXE again. This worm attempts to contact the following email address, possibly for notification purposes: 1@600pics.cjb.net. If you would like to scan your computer for WORM_WALLON.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com WORM_WALLON.A is detected and cleaned by Trend Micro pattern file #890 and above.