W32.Dreffort

1. Infects all .EXE and .SCR files in all subdirectories on drives C - Z.
   
   
2. Adds itself to .RAR archives.
   
   
3. Deletes any files that it can find on the 29th of December in any year.
   
   
4. Drops a back door that binds a command-shell on TCP port 666 on the 29th of any month.
   
   
5. Has a random filename for the back door.
   
   
6. Adds the value using the back door component:
   
   "Voltage Manager" = "[random file name]"
   
   to the registry subkey:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   
7. Disables the Windows Firewall.
   
   
8. Intends to send itself by email, but this functionality does not work on Windows XP or 2003.
   Message body is one of the following:
   
   
   • Dear Microsoft Customer
     
     A new vulnerability has been discovered in Internet Explorer
     we recommending you to update internet explorer as soon as
     possible, this vulnerablility is critical and may allow
     execution of malicious code on your system while you use internet
     explorer.
     
     
   • 150 XXX Pictures For You !!!
     
     here are your dayly xxx pictures.
     Have Fun & Enjoy...
     
     we like to inform you that your account at
     our web site will be expired at the end of
     this month,please renew your account
     renew of account for old members is only 25$
     per half year.
     
     Please Visit Our Web Site:
     http://www.WorldSex.com/
     
     
   • Dear Symantec/F-Secure/Mcafee/Trend Micro User
     
     We Have Developed A New Tool That Can Block New
     Internet Worms From Attacking Your Computer,We
     Recommending To Install This Tool Before A New
     Internet Worm Will Start To Spread
     
     How To Use The Tool:
     Just Run The Attached File,After You Have Run It
     Follow The Instructions.
     
     Thank You.
     The Virus Bulletin Security Team.
     For More Information Please Visit Our Web Site:
     http://www.virusbtn.com/
     
     If you do not wish to receive future antivirus tools from
     Virus Bulletin, or believe you were subscribed in error,
     please send,a blank E-mail to Subscribe@Virusbtn.com
     
     
   • Dear User.
     
     Sharman Networks Wants To offer You The New
     Version Of Kazaa !!!
     Please Read Product Description Below:
     
     Kazaa Media Desktop is the world's No. 1
     free, peer-to-peer, file-sharing software
     application. Features include improved
     privacy protection; the ability to search
     for and download music, playlists, software,
     video files, documents, and images; the
     ability to set up and manage music and video
     playlists; and the ability to perform
     multiple simultaneous searches, including
     up to five Search Mores, which deliver up
     to 1,000 results per search term.
     
     We Have Included A Free Version Of Kazaa In
     This Mail,Try It !!!
     
     Thank You.
     Sharman Networks.
     
     If you do not wish to receive future E-mail's from
     Sharman Networks, or believe you were subscribed in
     error, please send a blank E-mail to Remove@kazaa.com
     
     
   • Greeting-Cards.com have sent you a Greeting Card
     
     One Of Your Friends Wish You Happy Year
     Love,Fun,Good Life,And Good Luck.
     
     To Show His Love He Sent You A Greeting
     Card,Congratulations !
     
     Hope you enjoy our e-cards! Spread the love and send one of our FREE e-cards!
     Brought to you by greeting-cards.com - a better way to greet for FREE!
     Please Visit Greeting Cards Web site:http://www.greeting-cards.com/

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
• Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
• Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
• Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
• If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
• If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
• For further information on the terms used in this document, please refer to the Security Response glossary.