W32/Wallon@mm

description-logoAnalysis


Specifics
This virus sends emails containing a hyperlink to its stored Internet location to others. The email message uses URL obfuscation in order to trick the user into clicking the hyperlink. If a user clicks the link, they run the risk of being sent to multiple websites and ultimately downloading a copy of the virus from a hosting website.

The URL obfuscation is an exploit of allowable URL format and affects systems which are not updated with MS04-013 Microsoft update patch. This vulnerability is also tracked as MHTML URL Processing Vulnerability - CAN-2004-0380.


Mass Emailing Campaign
The virus if run, will send an email message to every contact listed in the Windows address book. The emails are sent in HTML format like this [spaces inserted intentially for this writeup] -

From: [smtp server name]
Subject: Re:
Body:
http : // drs.yahoo.com / (recipient email domain name) / NEWS

Here's an example -

From: mail.domain.com
Subject: Re:
Body:
http : // drs.yahoo.com / hotmail.com / NEWS

The link is not as the displayed link would suggest - it instead uses an obfuscation trick to redirect clicks of the hyperlink to a different website. The trick implements use of an "*" which is a starting point for the actual URL which is in the hyperlink reference HTML tag. For instance, the format of the exploit is like this -

href=http://any-domain.com/anything/anything/*http://the-real-domain.com/anything/anything

Clicking the link in the email message will visit a web page which redirects to numerous sites and finally downloading then running a copy of the virus. The virus is hosted on a yahoo controlled user domain account.


recommended-action-logoRecommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Using the FortiGate manager, add the IP address 213.4.130.210 to the list of URLs to block
  • Ensure affected systems are updated with the lastest Microsoft patches, or at a minimum updated with MS04-013 Microsoft update patch

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR