W32/Dref-AF is an email worm for the Windows platform.
W32/Dref-AF harvests email addresses from the infected computer and attempts to send itself to them, though due to a bug in the code will usually send a file detected as W32/Dref-Dam.
W32/Dref-AF tries to send itself in an email from <random name>@yahoo.com with the following characteristics:
Subject line (one of the following):
Iran Just Have Started World War III
USA Just Have Started World War III
Israel Just Have Started World War III
Missle Strike: The USA kills more then 10000 Iranian citizens
Missle Strike: The USA kills more then 1000 Iranian citizens
Missle Strike: The USA kills more then 20000 Iranian citizens
USA Missle Strike: Iran War just have started
USA Declares War on Iran
Attachment filename (one of the following):
Video.exe
News.exe
Movie.exe
Read Me.exe
Click Me.exe
Click Here.exe
Read More.exe
More.exe
W32/Dref-AF attempts to drop a file with an EXE extension and a random 7-letter filename to the same folder as itself. This file is already detected as W32/Dref-AB.
W32/Dref-AF deletes the following registry entry to stop the file referenced from running on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Agent
W32/Dref-AF sets the following registry entry, disabling the automatic startup of the SharedAccess service:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).
W32/Dref-AF terminates processes certain processes and windows related to security and anti-virus applications, including windows names "Registry Editor".