W32/Dref-K

Please follow the instructions for removing infected executable files.

W32/Dref-K is a mass-mailing worm and parasitic virus for the Windows platform.

When first run W32/Dref-K copies itself to <System>\wservice.exe.

W32/Dref-K will attempt to infect SCR EXE and RAR files.

Files infected with the virus are detected as W32/Dref-L.

W32/Dref-K harvests email addresses from the infected computer and send emails containing a corrupt attachment to the email addresses found.

W32/Dref-K may arrive in an email message with the following characteristics:

Subject line: chosen from

White house news!
READ AND RESEND ASAP!
NEWS!
ATTN TO EVERYBODY!
Incredible news!
ATTN
URGENT NEWS!
URG

Message text: chosen from

3rd Glogal War Just Started!!! Read more in file!
Nuclear War in Russia! Read news in file!
President Bush DEAD! Read attached file!
Putin and Bush starts NUCLEAR WAR! Check the file!
Nuclear WAR in USA! Read attached file!
GLOBAL NUCLEAR WAR JUST STARTED! News in file.
President Putin dead! Read more in attached file!

Attached file:chosen from

truth.exe
last.exe
lasest news.exe
never.exe
war.exe
about me.exe
a.exe
read me .exe
open.exe

The virus creates the file <Current Folder of Virus>\<Random>.exe and this file is detected as Troj/Dloadr-ANE.

The following registry entries are created to run wservice.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
UpdateService
<System>\wservice.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UpdateService
<System>\wservice.exe

W32/Dref-K sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).