W32/Dref-S is an email worm for the Windows platform.
W32/Dref-S harvests email addresses from the infected computer and attempts to send itself to them. W32/Dref-S tries to send itself in an email with characters obtained from www.cnn.com, but failing that it will use the following characteristics:
Subject line (one of the following):
URGENT NEWS!
ATTN
NEWS!
Incredible news!
READ AND RESEND ASAP!
ATTN TO EVERYBODY!
URG
White house news!
Attachment filename (one of the following):
read me.exe
CNN latest news.exe
CNN news reader.exe
cnn.exe
news reader.exe
cnn site explorer.exe
WWW-CNN-COM.exe
news agent.exe
webnews agent.exe
cnn agent.exe
Message text (one of the following):
Read more in attach...
Read more in attached file...
Full news in attached file
Full news in attach
Open file to get complete news.
Full news included in attached file
For read this news open file
W32/Dref-S attempts to terminate windows and processes related to anti-virus and security applications.
W32/Dref-S is an email worm for the Windows platform.
When first run W32/Dref-S copies itself to <System>\nordsys.exe and creates the file <current folder>\<7 random characters>.exe. This dropped file is detected as Troj/Dloadr-AQQ.
The following registry entries are created to run nordsys.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Nord
<System>\nordsys.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Nord
<System>\nordsys.exe
W32/Dref-S harvests email addresses from the infected computer and attempts to send itself to them. W32/Dref-S tries to send itself in an email with characters obtained from www.cnn.com, but failing that it will use the following characteristics:
Subject line (one of the following):
URGENT NEWS!
ATTN
NEWS!
Incredible news!
READ AND RESEND ASAP!
ATTN TO EVERYBODY!
URG
White house news!
Attachment filename (one of the following):
read me.exe
CNN latest news.exe
CNN news reader.exe
cnn.exe
news reader.exe
cnn site explorer.exe
WWW-CNN-COM.exe
news agent.exe
webnews agent.exe
cnn agent.exe
Message text (one of the following):
Read more in attach...
Read more in attached file...
Full news in attached file
Full news in attach
Open file to get complete news.
Full news included in attached file
For read this news open file
W32/Dref-S attempts to terminate windows and processes related to anti-virus and security applications.
W32/Dref-S sets the following registry entry, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).