W32/Dref-AF

Please follow the instructions for removing worms.

W32/Dref-AF is an email worm for the Windows platform.

W32/Dref-AF harvests email addresses from the infected computer and attempts to send itself to them, though due to a bug in the code will usually send a file detected as W32/Dref-Dam.

W32/Dref-AF tries to send itself in an email from <random name>@yahoo.com with the following characteristics:

Subject line (one of the following):

  Iran Just Have Started World War III
  USA Just Have Started World War III
  Israel Just Have Started World War III
  Missle Strike: The USA kills more then 10000 Iranian citizens
  Missle Strike: The USA kills more then 1000 Iranian citizens
  Missle Strike: The USA kills more then 20000 Iranian citizens
  USA Missle Strike: Iran War just have started
  USA Declares War on Iran

Attachment filename (one of the following):

  Video.exe
  News.exe
  Movie.exe
  Read Me.exe
  Click Me.exe
  Click Here.exe
  Read More.exe
  More.exe

W32/Dref-AF attempts to drop a file with an EXE extension and a random 7-letter filename to the same folder as itself. This file is already detected as W32/Dref-AB.

W32/Dref-AF deletes the following registry entry to stop the file referenced from running on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Agent

W32/Dref-AF sets the following registry entry, disabling the automatic startup of the SharedAccess service:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).

W32/Dref-AF terminates processes certain processes and windows related to security and anti-virus applications, including windows names "Registry Editor".