Following a bouncing Waledac
March 24th, 2009
You know that your malware investigation day will be a pain when you reach the first iframe on the webpage…
This one was pointing:
iframe src=”http://[REMOVED].cn/in.cgi?[REMOVED]
This iframe is a redirect to:
http:// [REMOVED].hostindianet.com/index.php?[REMOVED]
Now it gets interesting. This url contains a script that will send a PDF file, called readme.pdf. As an additional note, this pdf looks like part of the Luckysploit kit.
Readme.pdf is a malicious PDF file as you can imagine.
Dissecting it, there is a shellcode, with several functions like:
-GetTempPathA
-LoadLibraryA
-GetProcAddress
-WinExec
And our friend URLDownloadToFileA , which as the name implies, downloads something form a url to a file 
The url is : http:// [REMOVED2].hostindianet.com/l[REMOVED2]?id=4 and id=5
Following these urls, it was possible to find out that both id=4 and id=5 returned the same file, which is one variant of the Waledac.
And yes, both Malicious PDF and the downloaded file are detected by us
And yes2, REMOVED and REMOVED2 are different blocks.
An additional thanks to my friend Tom Liston for the title. I will always remember the Bouncing following malware series…;)
Back to McAfee Research Blog overview
