W32/Wallon-A is an email worm. The worm sends mail containing a deceptive
link. The link appears to direct the user to drs.yahoo.com/<user's domain>/NEWS but in fact points to a location on another website. The user is redirected to a website which exploits the MTHML URL processing vulnerability to run a malicious script on the local computer. The script in turn downloads and runs several pieces of malicious software, including W32/Wallon-A.
The Trojans used and installed during the infection process are:
Troj/Psyme-V, Troj/StartPa-HF, Troj/Dloader-JK and Dial/Top69-A.
The Microsoft vulnerability was first reported on 13 April, and Microsoft have issued protection, which can be downloaded from Microsoft Security Bulletin MS04-013.