WORM_DREFIR.C

This memory-resident worm propagates by sending a copy of itself as an attachment to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.

It generates email addresses by using a list of names and any of the domain names of the previously gathered addresses.

The email it sends out has the following details:

Subject: (any of the following)
• here are the pictures you asked me to send you.
• Resume
• My Story
• Your Files
• Your Stuff

Message Body: (any of the following)
• for any help,mail me back
• here are the porn screen saver you asked me to show you...
• here are the programms you asked me to mail you
• just read it,its fantastic
• please read again what i have written to you !

Attachment: (a .RAR file any of the following file names)
• info.rar
• My Life.rar
• package1.rar
• pictures.rar
• porn.rar

File in .RAR Attachment: (any of the following)
• linda.scr
• mail_READ.txt...scr
• musicbox.MP3.pif
• pictures.JPG...pif
• Story.scr

It spreads via Internet Relay Chat (IRC) servers. It connects to various servers and uses certain nicks. It then displays certain messages either containing a URL or hyperlinked phrases that when clicked downloads a copy of itself.

It checks for the current month and day of the system. If it finds the month and day to be June 29 it deletes the contents of all accessible files in fixed and mapped network drives. It also displays the following message box:

Related Items