I didn’t visit mIRC for a while so I intended to visit it at the start of my shift. I join a couple of channels then after sometime I received a private message with a link pointing a binary file. Yeah, just as I expected, malwares still use MIRC for their own purposes.
The binary file is an undetected WORM_DREFIR.A and is already being processed by the Service Team. This malware caught my interest because aside from having a destructive payload wherein this malware replaces all files that it can access with an empty file of the same filename, it has the ability to add a copy of itself into a RAR file that is found in affected user’s computer. It uses a random generated filename for the copy of itself to be added to the RAR file.
A computer affected by this malware is used as a host to spread the malware. It opens port 80 [http] where potential victims will be able to get a copy of the malware through this port. The malware sends private messages to potential victims through the MIRC channel it has connected. The message sent contains a link to a copy of the malware using the IP of the affected computer.
A potential victim receives the following message via IRC
Where: http://xxx.yyy.zzz will be the IP address of a compromised machine hosting the malware.
The payload of the malware is activated every 29th of the month where the system time seconds is above 30. Here’s the displayed messaged:
It is a good practice not to click and click URL links from IRC messages even if it comes from a known acquaintance. It is possible that your friend’s computer was compromised and it is the malware who sent you the message. :)
Have your antivirus pattern files updated regularly to be secured from malwares which are being discovered in-the-wild.