Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.


Threat LevelLow threat
DistributionNot widespread


Waledac.AX carries out the following actions:

  • It sends spam messages related to pharmaceutical products. It uses any of the following subjects:
    Can your health problems be solved
    Give you lover new intimate feeling.
    Which one of enlarhing products really work?
    Healthy news mail.
    Imagine, how happy she will be if you take a blue pilule.
    Now you can get it up before anyone does!
    Your boner will be able to break the concrete walls.
    Let your intimate wishes come true.

    The following is an example of the spam it sends:

  • If users follow the link included in the message, they are redirected to a website that sells different pharmaceutical products:

  • It looks for email addresses in the affected computer in order to send them spam messages like this.
  • It sends this information, encrypted, together with other type of information, such as passwords, in a file with a random name to different IP addresses, so that its creator can access the gathered data.
  • It opens several ports in order to receive instructions from its creator, such as to send spam messages or to manage the gathered information.

Infection strategy 

Waledac.AX creates a copy of itself with a random name and an EXE extension in the directory where it has been run.


Waledac.AX creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    PromoReg =
     %path in which it has been run%\%copy of the worm%.exe
    By creating this entry, Waledac.AX ensures that it is run whenever Windows is started.
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RList
    %random characters%
  • HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\MyID
    %random characters%

Means of transmission 

Waledac.AX spreads via email in messages that offer a fake service that allows any user to read the SMS received in any mobile phone:

The message contains a link to a malicious website. If the user follows the link, a window will be opened so that the user downloads a file, which belongs to a copy of the worm:

The filenames it uses are variable, but they are usually related to the fake software, such as TRIAL.EXE.

It sends email messages like this to the email addresses it has gathered using its own SMTP engine.

Further Details  

Waledac.AX is 420,864 bytes in size and is compressed with UPX.