Precisa de ajuda? Peça à comunidade ou contrate um perito.
Acesse a Avira Answers
Date discovered:24/06/2005
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:128.328 Bytes
MD5 checksum:33be61dcfce0efaf88fda9adda4ddf7c
IVDF version: - Friday, June 24, 2005

 General Method of propagation:
   • Email

   •  Mcafee: W32/Drefir.worm
   •  Sophos: W32/Dref-C
   •  Panda: W32/Drefir.E.worm
   •  Eset: Win32/Drefir.E
   •  Bitdefender: Win32.Worm.Drefir.E.DAM@MM

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops a malicious file
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\SysDrefIWv2.exe

 Registry To each registry key one of the values is added in order to run the processes after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "DrefIW"="%SYSDIR%\SysDrefIWv2.exe

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "DrefIW"="%SYSDIR%\SysDrefIWv2.exe

The following registry keys are changed:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   New value:
   • "%malware execution directory%\%executed file%" = "%malware execution directory%\%executed file%:*:Enabled:%executed file%"

Deactivate Windows XP Firewall:
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   New value:
   • "Start" = 00000004

 Email It uses the Messaging Application Programming Interface (MAPI) in order to send emails. The characteristics are further described:

The sender address is the user's Outlook account.

– Email addresses gathered from WAB (Windows Address Book)

One of the following:
   • just read it,its fantastic
   • here are the porn you asked me to show you...
   • here are the programms you asked me to mail you
   • for any help,mail me back
   • please read again what i have written to you !
   • here are the pictures you asked me to send you.
   • My Story
   • Your Stuff
   • Your Files

The filename of the attachment is one of the following:
   • Story.scr
   • linda.scr
   • musicbox.exe
   • mail.scr
   • pictures_1.exe
   • My Life.rar
   • porn.rar
   • package1.rar
   • info.rar
   • pictures.rar

The attachment is a copy of the malware itself.

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: irc.e**********.net
Port: 6667

Server: eu.u**********.org
Port: 6667

Server: us.u**********.org
Port: 6667

Server: irc.d**********.net
Port: 6667

Server: irc.r**********.net
Port: 6667

Port: 6667

Server: irc.i**********.ee
Port: 6667

Server: random.i**********.de
Port: 6667

Port: 6667

Server: irc.q**********.org
Port: 6667

Server: leak.e**********
Port: 8080
Channel: #irc

– Furthermore it has the ability to perform actions such as:
    • Send emails
    • Visit a website

 Miscellaneous  Checks for an internet connection by contacting the following web site:

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Descrição enviada por Petre Galan em sexta-feira, 5 de fevereiro de 2010
Descrição atualizada por Petre Galan em sexta-feira, 5 de fevereiro de 2010

Voltar . . . .