Symantec Connect: Recently there have been several reports about the re-emergence of a botnet variant (Kelihos), which Symantec detects as W32.Waledac.C. The Waledac family is a threat that has been monitored by Symantec for many years and was featured in numerous blogs as well as a white paper. In the past, Waledac gained its infamy as a spamming botnet that utilized compromised systems to send out spam.  The purpose of these spamming campaigns had usually been for self-propagation of the threat through spam emails containing a link, often (but not always) pointing to a Waledac binary file hosted on a malicious website.  The variant W32.Waledac.C is also sending out spam emails, but with a twist.

In one spam campaign, we observed it sending out the email seen below to only Russian target email addresses.


Email translation (Rough translation)

This year Rospres celebrates another birthday – we are now 5 years old.

All these years we were trying our best to bring to you the latest available information in its full integrity. In the nearest future we intend to work even harder for our readers, so they come back to our web portal again and again. We will be very happy to work for all visitors to !

With best wishes, Ruspres.

The link seen in the spam email leads to a slanderous article hosted on the site and can be seen in the picture below. We have found no evidence that the link contained in the spam email is used to propagate the threat. The site seems to contain numerous articles on high profile Russian individuals such as politicians and businessmen that could be considered slanderous.


The individual in this article is Mikhail Prokhorov a Russian billionaire oligarch and an independent candidate in the Russian 2012 elections this March.  While it is not clear whether the intent of this Waledac spam campaign has been to push the site or to smear the election campaign of any individual, it does question the exact motivation of the malware gang controlling the W32.Waledac.C variant.