Aliases: W32/Dreffort@M, Backdoor.Trojan, Win32.HLLM.Dref, WORM_DREFIR.C, Worm/Drefir.C.1
Variants: N/A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 05 Apr 2005
Damage: High

Characteristics: This virus is characterized as direct infector of Windows executables. It also infects the root directory of the C to Z drive and all of its subdirectories. When executed, W32.Dreffort infects all files with .exe extension at the end of the file. Files become programs that initiate and run the virus. It continuously creates a file that is the same as the target file.

More details about W32.Dreffort

W32.Dreffort includes a “_” sign added at the beginning of the filename. This will be an encrypted filename of the original file. This newly created file will be automatically decrypted and run. As such, it will overwrite the target file with a copy of it. It creates a random filename for the backdoor. To make it hard to detect, it also adds itself to .RAR archives. It also monitors computer system and consequently deletes any files it can find on the 29th of December in any year. It also drops a backdoor that binds a command-shell on TCP port 666 on the 29th of any month.  Windows firewall is also automatically disabled by this virus. On some Windows Operating System platforms except XP and 2003, it can also perform a mass mailing action by sending itself automatically to your MS Outlook email contacts.

W32.Dreffort sends email with this letter, “Dear Microsoft Customer, a new vulnerability has been discovered in Internet Explorer we recommending you to update internet explorer as soon as possible, this vulnerability is critical and may allow execution of malicious code on your system while you use internet explorer.150 XXX Pictures For You !!! here are your dayly xxx pictures. Have Fun & Enjoy...we like to inform you that your account at our web site will be expired at the end of this month, please renew your account renew of account for old members is only 25$ per half year. Please Visit Our Web Site: http://www.WorldSex.com/.” This is a standard format for the message body and for some, it only changes the name of the antivirus or other programs used by the user. It may say that they come from Symantec, Kaza,a and Greeting-Cards.com.