Worm:Win32/Drefir.E is a worm that spreads by copying itself to mapped drives, by sending e-mail messages with an attached copy of the worm and by sending messages in IRC channels containing a link to the worm. The worm lowers system security and may delete files on the 29th day of June and December.
Installation
When run, Worm:Win32/Drefir.E copies itself as the following:
<system folder>\sysdrefiwv2.exe
The registry is then modified to run the worm at each Windows start.
Adds value: "DrefIW"
With data: "<system folder>\sysdrefiwv2.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "DrefIW"
With data: "<system folder>\sysdrefiwv2.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Spreads via…
Mapped drives
Worm:Win32/Drefir.E scans for available and connected mapped drives, then copies itself to drives found. It enumerates drives A: to Z: and then copies itself to the root folder if these drives, if available.
E-mail attachment
The worm searches the Windows address book (WAB) to gather domains, then uses the information to create a list of destination e-mail addresses. Messages are created containing a varying list of subject lines, body texts and attachment file names.
Possible subject lines:
-
My Story
-
Your Stuff
-
Your Files
-
Resume
Possible body texts:
-
here are the porn you asked me to show you…
-
here are the programms you asked me to mail you
-
for any help,mail me back
-
please read again what i have written to you !
-
here are the pictures you asked me to send you.
Possible attachment file names:
-
Story.scr
-
linda.scr
-
musicbox.exe
-
mail.scr
-
pictures_1.exe
-
My Life.rar
-
porn.rar
-
package1.rar
-
info.rar
-
pictures.rar
The attachment is a copy of the worm either as an executable or a RAR archive.
Internet Relay Chat (IRC)
Worm:Win32/Drefir.E connects with one of the following IRC servers using TCP port 6667:
-
irc.efnet.net
-
eu.undernet.org
-
us.undernet.org
-
irc.dal.net
-
irc.rizon.net
-
irc.fr.ircnet.net
-
irc.ircnet.ee
-
random.ircd.de
-
irc.us.ircnet.net
-
irc.quakenet.org
When connected, the worm broadcasts messages to channels containing a link to a copy of the worm hosted on a remote server. Messages sent may resemble the following:
-
free europen porn ! get it now from ===>>> <link to Worm:Win32/Drefir.E>
-
intersting in porno ?,wanna get free access,check out --> <link to Worm:Win32/Drefir.E>
-
wants free 30 days trial at porn gallerys ?,check out > <link to Worm:Win32/Drefir.E>
-
wants to have access to free DVD porn download => <link to Worm:Win32/Drefir.E>
-
wanna have a free trial at porn sites all over the world ?,get this => <link to Worm:Win32/Drefir.E>
-
You can find DVD Quality Amateur Porn Movies here => <link to Worm:Win32/Drefir.E>
Payload
Lowers system security
The worm modifies the registry to disable the "Shared Access" service, a service required for Windows firewall functionality.
Modifies value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Deletes files
On the 29th day of June or December, Worm:Win32/Drefir displays the following message:
[IrcWorm] v1.3 (c) 2005 written by DR-EF
The worm then attempts to delete all files in fixed and remote drives.
Analysis by Jaime Wong
