descripcion de McAfee:
:__________________________________________
Virus Name Risk Assessment
W32/Wallon.worm.a Corporate User : Low-Profiled
Home User : Low-Profiled
Virus Information
Discovery Date: 05/07/2004
Origin: Unknown
Length: 150,528 bytes
Type: Virus
SubType: Internet Worm
Minimum DAT: 4360 (05/12/2004)
Updated DAT: 4360 (05/12/2004)
Minimum Engine: 4.2.40
Description Added: 05/11/2004
Description Modified: 05/14/2004 2:55 PM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics:
-- Update May 13, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at::
This worm mass-mails a hyperlink to recipients found on the local system. It also attempts to harvest email addresses and send them to a specified address (likely for the purpose of sending SPAM at a later date).
Email propagation
Messages sent by the worm appear as follows:
Subject: RE:
Body:
Attachment: there is no attachment
The message body simply contains a hyperlink, which is designed to trick users into thinking that they are going to a Yahoo News site, when in fact they are redirected to a page on the
Clicking the hyperlink in the email message directs users to a site, which redirects the user to another site. This redirection can occur multiple times, ultimately landing the user on a site that contains exploit code to install a downloader trojan, which downloads and installs the virus.
Addresses harvested from the local machine are sent to the address
The worm also navigates to a pornographic website pixpox.com.
Top of Page
Symptoms
The worm creates the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Wh" = Yes
The worm does not create any other registry keys.
Top of Page
Method Of Infection
This worm spreads by sending a hyperlink via email to addresses harvested from the Windows Address Book (WAB). The worm contains its own SMTP engine and uses the default SMTP server specified in the Internet Account Manager.
Sent messages attempt to trick users in to following the hyperlink, which ultimately results in an infection. Through a series of redirected pages, the users is taken to a site that contain Internet Explorer exploit code, (this page exploits MS04-013 and is detected as Exploit-MhtRedir.gen ). This exploit downloads a CHM file, which contains another Internet Explorer exploit (targeting MS04-004 and is detected as VBS/Psyme ), which downloads a file and overwrites the existing wmplayer.exe file.
%ProgramFiles%\Windows Media Player\wmplayer.exe
This file downloads and installs the Wallon worm.
Top of Page
Removal Instructions
All Users :
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Top of Page
Variants
Name Type Sub Type Differences
Top of Page
Aliases
Name
I-Worm.Wallon (AVP)
W32/Wallon.worm
WORM_WALLON.A (Trend)
__________________________________________
Evidentemente se recuerda la necesidad de tener aplicados los parches de Microsoft. En este caso el correspondiente es el MS04-013
saludos
ms, 18-05-2004
msc hotline sat Virus Research Engineer