Sonicwall Signatures


Go to All Categories list.

Drefir.E is a Worm. Worms spread from computer to computer, making copies of themselves over the network. They could spread over email, IM, peer-to-peer networks, or directly over the wire by leveraging vulnerabilities. Drefir.E has a file size of 123,986 bytes. It uses the network connection:
  • Looks for an Internet connection.
  • Connects to "" on port 6667 (TCP).
  • Connects to IRC server.

Drefir.E drops the following files on the hard drive:

  • C:\WINDOWS\SYSTEM32\SysDrefIWv2.exe (123986 bytes)
It also changes Windows registry:
  • Creates value "DrefIW"="C:\WINDOWS\SYSTEM32\SysDrefIWv2.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
  • Creates value "DrefIW"="C:\WINDOWS\SYSTEM32\SysDrefIWv2.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
It creates the following mutex to ensure only one instance is running: ==[ irc test worm by h1t3m ]==. It also is executed every time Windows starts.

Relevant Information