Obama Refuses to Become Next President

The Waledac worm, which is believed to be created by the authors of the Storm worm, has been spamming out email claiming that Barack Obama has decided not to become the next US President. Waledac first appeared around Christmas time with an e-card theme. This is the second campaign by Waledac which is intended to infect more victim machines and grow the botnet.

The emails for this latest campaign look like this:

The link leads to the website below. All of the links on this website point to the file obamanews.exe however links on other domains used in this campaign point to various other files such as barack.exe, speech.exe and file.exe. The page also includes the script google-analysis.js which contains obfuscated javascript. This script adds an IFrame to the current page with a source domain of googol-analisys.com. At the time we checked the IFrame did not contain any harmful content.

Waledac operates in a very similar way to the Storm worm. It spreads by mailing out spam containing a short sentence and a link. The links are to websites hosted on a fast flux network which try to get users to download an executable file or use exploits to download and run it for them. The campaigns generally feature current events, holidays or topics.

Other similarities with Storm include a similar email header structure and HTTP POST parameters

The Waledac botnet's spam output is currently very small, less than one percent of the spam that we see. We expect this number to increase as more machines become infected through the use of these campaigns. 

Administrators should consider blocking the following domains:

 greatobamaguide.com

 greatobamaonline.com

 superobamadirect.com

 superobamaonline.com