Follow:

You have been re-routed to the TrojanDownloader:Win32/Wadolin.A write up because TrojanDownloader%3aWin32%2fWadolin.A has been renamed to TrojanDownloader:Win32/Wadolin.A
 

TrojanDownloader:Win32/Wadolin.A


TrojanDownloader:Win32/Wadolin.A is a trojan that bypasses firewall protection and downloads other files into the computer. It also sends information about the affected computer to a remote server.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

TrojanDownloader:Win32/Wadolin.A is a trojan that bypasses firewall protection and downloads other files into the computer. It also sends information about the affected computer to a remote server.

Installation

TrojanDownloader:Win32/Wadolin.A may be dropped by other malware, such as TrojanDropper:Win32/Vundo.L, TrojanDownloader:Win32/Renos.GN, and others.

TrojanDownloader:Win32/Wadolin.A may be installed as any of the following files:

  • %USERPROFILE%\Application Data\5.exe
  • %USERPROFILE%\Application Data\d.exe
  • %USERPROFILE%\Application Data\cd87.exe
  • %USERPROFILE%\Application Data\e3.exe

It modifies the system registry so that it automatically starts every time Windows starts:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Win32load"
With data: "<malware name> -lds"

Payload

Steals sensitive information

TrojanDownloader:Win32/Wadolin.A steals the following information about the affected computer, and sends the information to the server "vegas<removed>id.net":

  • Windows Product ID
  • Volume Serial Number

Modifies firewall and security settings

TrojanDownloader:Win32/Wadolin.A attempts to bypass the following programs:

  • Windows firewall
  • Agnitum Outpost firewall
  • McAfee firewall
  • McAfee behavior blocking

TrojanDownloader:Win32/Wadolin.A modifies the system registry so that Windows Firewall considers it an authorized application:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<malware file>"
With data: "<malware file>:*:enabled:win32load"

If the Agnitum Outpost firewall is installed, TrojanDownloader:Win32/Wadolin.A attempts to write into the "\\.\\pipe\acsipc_server" pipe to disable it.

If the McAfee firewall is installed, TrojanDownloader:Win32/Wadolin.A writes into the following file to add an exception for itself:

  • %AppData%\McAfee\Common Framework\SiteList.xml

To evade McAfee behavior blocking, it resets the value "AccessProtectionUserRules" in the registry key "HKLM\Software\McAfee\VSCore\On Access Scanner\BehaviourBlocking".

Downloads files

TrojanDownloader:Win32/Wadolin.A downloads the file "hide.dll" from the server "vegas<removed>id.net". This file is saved as "%TEMP%\df247f.dll".

Performs certain actions

TrojanDownloader:Win32/Wadolin.A continuously waits for instructions from the webpage "vegas<removed>id.net/doit.php". It may perform the following actions:

  • Download an executable from a specified URL and run it
  • Update itself

Analysis by Horea Coroiu


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of any of the following files:
    • %USERPROFILE%\Application Data\5.exe
    • %USERPROFILE%\Application Data\d.exe
    • %USERPROFILE%\Application Data\cd87.exe
    • %USERPROFILE%\Application Data\e3.exe
  • The presence of the following registry modification:
    In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Win32load"

Prevention


Alert level: Severe
First detected by definition: 1.53.159.0
Latest detected by definition: 1.183.2032.0 and higher
First detected on: Mar 06, 2009
This entry was first published on: Mar 06, 2009
This entry was updated on: Sep 16, 2011

This threat is also detected as:
No known aliases