I didn’t visit mIRC for a while so I intended to visit it at the start of my shift. I join a couple of channels then after sometime I received a private message with a link pointing a binary file. Yeah, just as I expected, malwares still use MIRC for their own purposes.

The binary file is an undetected WORM_DREFIR.A and is already being processed by the Service Team. This malware caught my interest because aside from having a destructive payload wherein this malware replaces all files that it can access with an empty file of the same filename, it has the ability to add a copy of itself into a RAR file that is found in affected user’s computer. It uses a random generated filename for the copy of itself to be added to the RAR file.

A computer affected by this malware is used as a host to spread the malware. It opens port 80 [http] where potential victims will be able to get a copy of the malware through this port. The malware sends private messages to potential victims through the MIRC channel it has connected. The message sent contains a link to a copy of the malware using the IP of the affected computer.

Example:

A potential victim receives the following message via IRC

– “http://www.google.com/url?q=http://xxx.yyy.zzz/TrialXXXView.scr”

Where: http://xxx.yyy.zzz will be the IP address of a compromised machine hosting the malware.

The payload of the malware is activated every 29th of the month where the system time seconds is above 30. Here’s the displayed messaged:

It is a good practice not to click and click URL links from IRC messages even if it comes from a known acquaintance. It is possible that your friend’s computer was compromised and it is the malware who sent you the message.

Have your antivirus pattern files updated regularly to be secured from malwares which are being discovered in-the-wild.