W32/Dref-N

Please follow the instructions for disinfecting PE executables.

W32/Dref-N is a mass-mailing worm and parasitic virus with IRC backdoor functionality for the Windows platform.

When first run W32/Dref-N copies itself to <System>\wservice.exe.

W32/Dref-N will attempt to infect SCR, HTM, HTA, EXE and RAR files then email itself as an attachment to email addresses harvested from the infected computer.

Files infected with the virus are detected as W32/Dref-L.

W32/Dref-N may arrive in an email message with the following characteristics:

Subject line: chosen from

White house news!
READ AND RESEND ASAP!
NEWS!
ATTN TO EVERYBODY!
Incredible news!
ATTN
URGENT NEWS!
URG

Message text: chosen from

3rd Glogal War Just Started!!! Read more in file!
Nuclear War in Russia! Read news in file!
President Bush DEAD! Read attached file!
Putin and Bush starts NUCLEAR WAR! Check the file!
Nuclear WAR in USA! Read attached file!
GLOBAL NUCLEAR WAR JUST STARTED! News in file.
President Putin dead! Read more in attached file!

Attached file:chosen from

truth.exe
last.exe
lasest news.exe
never.exe
war.exe
about me.exe
a.exe
read me .exe
open.exe

The files attached in the emails are detected as Troj/DwnLdr-FUY.

The following registry entries are created to run wservice.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
UpdateService
<System>\wservice.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UpdateService
<System>\wservice.exe

W32/Dref-N sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).