W32/Dref-AH

Please follow the instructions for removing worms.

W32/Dref-AH is an email worm for the Windows platform.

W32/Dref-AH tries to send itself in an email with the following characteristics:

Attachment filename (one of the following):

  Flash Postcard.exe
  flash postcard.exe
  greeting card.exe
  Greeting Card.exe
  Greeting Postcard.exe
  greeting postcard.exe
  Love Card.exe
  Love Postcard.exe
  My Love.exe
  postcard.exe
  Postcard.exe
  With Love.exe

Subject line (one of the following):

  A Dream is a Wish
  A Is For Attitude
  A Kiss So Gentle
  A Precious Gift
  A Rose
  A Rose for My Love
  A Toast My Love
  A Token of My Love
  Come Dance with Me
  Come Relax with Me
  Destiny
  Dream of You
  Eternal Love
  Eternity of Your Love
  Falling In Love with You
  For You....My Love
  Heavenly Love
  Hugging My Pillow
  I am Complete
  I Dream of you
  I Love Thee
  I Love You Because
  I Love You Soo Much
  I Love You with All I Am
  I Would Dream
  If Loving You
  In Your Arms
  Inside My Heart
  Kisses Through E-mail
  Last Night
  ll Be Your Bride
  Love Is...
  Love Remains
  m With You
  Magic Power Of Love
  Memories of You
  Miracle of Love
  My Love
  Our Journey
  Our Love is Free
  Our Love is Strong
  Our Love Nest
  Our Love Will Last
  Pages from My Heart
  Path We Share
  re in my Soul
  re In My Thoughts
  re my Dream
  re the One
  Sending You All My Love
  Sending You My Love
  Sent with Love
  Special Romance
  Surrounded by Love
  The Dance of Love
  The Miracle of Love
  The Mood for Love
  The Moon & Stars
  The Time for Love
  When Love Comes Knocking
  When You Fall in Love
  Why I Love You
  Words in my Heart
  Wrapped in Your Arms
  You... In My Dreams
  Your Friend and Lover
  Your Love Has Opened

W32/Dref-AH is an email worm for the Windows platform.

W32/Dref-AH harvests email addresses from the infected computer and attempts to send itself to them, though due to a bug in the code will usually send a file detected as W32/Dref-Dam.

W32/Dref-AH tries to send itself in an email with the following characteristics:

Attachment filename (one of the following):

  Flash Postcard.exe
  flash postcard.exe
  greeting card.exe
  Greeting Card.exe
  Greeting Postcard.exe
  greeting postcard.exe
  Love Card.exe
  Love Postcard.exe
  My Love.exe
  postcard.exe
  Postcard.exe
  With Love.exe

Subject line (one of the following):

  A Dream is a Wish
  A Is For Attitude
  A Kiss So Gentle
  A Precious Gift
  A Rose
  A Rose for My Love
  A Toast My Love
  A Token of My Love
  Come Dance with Me
  Come Relax with Me
  Destiny
  Dream of You
  Eternal Love
  Eternity of Your Love
  Falling In Love with You
  For You....My Love
  Heavenly Love
  Hugging My Pillow
  I am Complete
  I Dream of you
  I Love Thee
  I Love You Because
  I Love You Soo Much
  I Love You with All I Am
  I Would Dream
  If Loving You
  In Your Arms
  Inside My Heart
  Kisses Through E-mail
  Last Night
  ll Be Your Bride
  Love Is...
  Love Remains
  m With You
  Magic Power Of Love
  Memories of You
  Miracle of Love
  My Love
  Our Journey
  Our Love is Free
  Our Love is Strong
  Our Love Nest
  Our Love Will Last
  Pages from My Heart
  Path We Share
  re in my Soul
  re In My Thoughts
  re my Dream
  re the One
  Sending You All My Love
  Sending You My Love
  Sent with Love
  Special Romance
  Surrounded by Love
  The Dance of Love
  The Miracle of Love
  The Mood for Love
  The Moon & Stars
  The Time for Love
  When Love Comes Knocking
  When You Fall in Love
  Why I Love You
  Words in my Heart
  Wrapped in Your Arms
  You... In My Dreams
  Your Friend and Lover
  Your Love Has Opened

When W32/Dref-AH is installed the following files are created:

<Current Folder>\<random characters>.exe
<System>\wincom32.ini
<System>\wincom32.sys

The file wincom32.sys is detected as Troj/Dorf-Fam and the file <random characters>.exe is detected as W32/Dref-AB. The file wincom.ini is not malicious and can safely be deleted manually.

W32/Dref-AH deletes the following registry entry to stop the file referenced from running on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Agent

W32/Dref-AH sets the following registry entry, disabling the automatic startup of the SharedAccess service:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).

W32/Dref-AH terminates processes certain processes and windows related to security and anti-virus applications, including windows names "Registry Editor".