Virus:Worm/Drefir.E
Date discovered:24/06/2005
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:128.328 Bytes
MD5 checksum:33be61dcfce0efaf88fda9adda4ddf7c
IVDF version:6.31.00.108 - Friday, June 24, 2005

 General Method of propagation:
   • Email


Aliases:
   •  Mcafee: W32/Drefir.worm
   •  Sophos: W32/Dref-C
   •  Panda: W32/Drefir.E.worm
   •  Eset: Win32/Drefir.E
   •  Bitdefender: Win32.Worm.Drefir.E.DAM@MM


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\SysDrefIWv2.exe

 Registry To each registry key one of the values is added in order to run the processes after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "DrefIW"="%SYSDIR%\SysDrefIWv2.exe

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "DrefIW"="%SYSDIR%\SysDrefIWv2.exe



The following registry keys are changed:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   New value:
   • "%malware execution directory%\%executed file%" = "%malware execution directory%\%executed file%:*:Enabled:%executed file%"

Deactivate Windows XP Firewall:
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   New value:
   • "Start" = 00000004

 Email It uses the Messaging Application Programming Interface (MAPI) in order to send emails. The characteristics are further described:


From:
The sender address is the user's Outlook account.


To:
– Email addresses gathered from WAB (Windows Address Book)


Subject:
One of the following:
   • just read it,its fantastic
   • here are the porn you asked me to show you...
   • here are the programms you asked me to mail you
   • for any help,mail me back
   • please read again what i have written to you !
   • here are the pictures you asked me to send you.
   • My Story
   • Your Stuff
   • Your Files



Attachment:
The filename of the attachment is one of the following:
   • Story.scr
   • linda.scr
   • musicbox.exe
   • mail.scr
   • pictures_1.exe
   • My Life.rar
   • porn.rar
   • package1.rar
   • info.rar
   • pictures.rar

The attachment is a copy of the malware itself.

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: irc.e**********.net
Port: 6667

Server: eu.u**********.org
Port: 6667

Server: us.u**********.org
Port: 6667

Server: irc.d**********.net
Port: 6667

Server: irc.r**********.net
Port: 6667

Server: irc.fr.i**********.net
Port: 6667

Server: irc.i**********.ee
Port: 6667

Server: random.i**********.de
Port: 6667

Server: irc.us.i**********.net
Port: 6667

Server: irc.q**********.org
Port: 6667

Server: leak.e**********.co.uk
Port: 8080
Channel: #irc


– Furthermore it has the ability to perform actions such as:
    • Send emails
    • Visit a website

 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • http://www.google.com/

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Friday, February 5, 2010
Description updated by Petre Galan on Friday, February 5, 2010

Back . . . .