W32/Dref-V

Category: Viruses and SpywareProtection available since:30 Dec 2006 00:00:00 (GMT)
Type: Win32 executable file virusLast Updated:12 Jan 2007 00:00:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Dref-V is a virus for the Windows platform.

W32/Dref-V spreads to other network computers and via email.

W32/Dref-V includes functionality to access the internet and communicate with a remote server via HTTP.

W32/Dref-V sends emails with the following characteristics:

From: <forged>

Subject line: "Happy New Year!"

Message text: <empty>

Attached file: postcard.exe

or

From: <forged>

Subject line: chosen from

"Annual Fun Forecast!"
"Baby New Year !"
"Best Wishes For A Happy New Year!"
"Fun 2007!"
"Fun Filled New Year!"
"Happiness And Continued Success!"
"Happiness and Success!"
"Happiness In Everything!"
"Happy 2007!"
"Happy Times And Happy Memories!"
"May Your Dreams Come True!"
"New Hopes And New Beginnings!"
"New Year..Happy Year!"
"Promises Of Happy Times!"
"Raising A Toast To Happy Times!"
"Scale Greater Heights!"
"Sparkling Happiness and Good Times!"
"Warm New Year Hug!"
"Warmest Wishes For New Year!"
"Welcome 2007!"
"Wishing Your Happiness!"
"Wishing You Happy New Year !"
"Wish You Smiles And Good Cheer!"

Message text: <empty>

Attached file:chosen from

Postcard.exe
postcard.ex
Greeting Card.exe
greeting card.exe
Greeting Postcard.exe
greeting postcard.exe

A typical email sent by the Dref-V worm
A typical email sent by the Dref-V worm. W32/Dref-V is a virus with mass-mailing capability for the Windows platform. Files infected by W32/Dref-V are detected by Sophos as W32/Dref-L.

W32/Dref-V spreads to other network computers and via email.

W32/Dref-V sends emails with the following characteristics:

From: <forged>

Subject line: "Happy New Year!"

Message text: <empty>

Attached file: postcard.exe

or

From: <forged>

Subject line: chosen from

"Annual Fun Forecast!"
"Baby New Year !"
"Best Wishes For A Happy New Year!"
"Fun 2007!"
"Fun Filled New Year!"
"Happiness And Continued Success!"
"Happiness and Success!"
"Happiness In Everything!"
"Happy 2007!"
"Happy Times And Happy Memories!"
"May Your Dreams Come True!"
"New Hopes And New Beginnings!"
"New Year..Happy Year!"
"Promises Of Happy Times!"
"Raising A Toast To Happy Times!"
"Scale Greater Heights!"
"Sparkling Happiness and Good Times!"
"Warm New Year Hug!"
"Warmest Wishes For New Year!"
"Welcome 2007!"
"Wishing Your Happiness!"
"Wishing You Happy New Year !"
"Wish You Smiles And Good Cheer!"

Message text: <empty>

Attached file:chosen from

Postcard.exe
postcard.ex
Greeting Card.exe
greeting card.exe
Greeting Postcard.exe
greeting postcard.exe

A typical email sent by the Dref-V worm
A typical email sent by the Dref-V worm.

W32/Dref-V includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Dref-V copies itself to <System>\alsys.exe and creates the following registy keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Agent
<System>\alsys.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Agent
<System>\alsys.exe

W32/Dref-V sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).

W32/Dref-V may also attempt to drop a randomly named file into the current folder and run it. This file is detected by Sophos as W32/Dref-V.