¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Date discovered:24/06/2005
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:128.328 Bytes
MD5 checksum:33be61dcfce0efaf88fda9adda4ddf7c
IVDF version: - Friday, June 24, 2005

 General Method of propagation:
   • Email

   •  Mcafee: W32/Drefir.worm
   •  Sophos: W32/Dref-C
   •  Panda: W32/Drefir.E.worm
   •  Eset: Win32/Drefir.E
   •  Bitdefender: Win32.Worm.Drefir.E.DAM@MM

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops a malicious file
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\SysDrefIWv2.exe

 Registry To each registry key one of the values is added in order to run the processes after reboot:

   • "DrefIW"="%SYSDIR%\SysDrefIWv2.exe

   • "DrefIW"="%SYSDIR%\SysDrefIWv2.exe

The following registry keys are changed:

   New value:
   • "%malware execution directory%\%executed file%" = "%malware execution directory%\%executed file%:*:Enabled:%executed file%"

Deactivate Windows XP Firewall:
   New value:
   • "Start" = 00000004

 Email It uses the Messaging Application Programming Interface (MAPI) in order to send emails. The characteristics are further described:

The sender address is the user's Outlook account.

 Email addresses gathered from WAB (Windows Address Book)

One of the following:
   • just read it,its fantastic
   • here are the porn you asked me to show you...
   • here are the programms you asked me to mail you
   • for any help,mail me back
   • please read again what i have written to you !
   • here are the pictures you asked me to send you.
   • My Story
   • Your Stuff
   • Your Files

The filename of the attachment is one of the following:
   • Story.scr
   • linda.scr
   • musicbox.exe
   • mail.scr
   • pictures_1.exe
   • My Life.rar
   • porn.rar
   • package1.rar
   • info.rar
   • pictures.rar

The attachment is a copy of the malware itself.

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: irc.e**********.net
Port: 6667

Server: eu.u**********.org
Port: 6667

Server: us.u**********.org
Port: 6667

Server: irc.d**********.net
Port: 6667

Server: irc.r**********.net
Port: 6667

Server: irc.fr.i**********.net
Port: 6667

Server: irc.i**********.ee
Port: 6667

Server: random.i**********.de
Port: 6667

Server: irc.us.i**********.net
Port: 6667

Server: irc.q**********.org
Port: 6667

Server: leak.e**********.co.uk
Port: 8080
Channel: #irc

 Furthermore it has the ability to perform actions such as:
    • Send emails
     Visit a website

 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • http://www.google.com/

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Descripción insertada por Petre Galan el viernes 5 de febrero de 2010
Descripción actualizada por Petre Galan el viernes 5 de febrero de 2010

Volver . . . .
https:// Esta ventana está cifrada para su seguridad.