Home Up Contact Contents Search


Avril.B

 

Updated 1/9/03

Virus Warning issued for  Worm/Avril.B

Complete description can be read online by clicking here

Details:

Name: Worm/Avril.B
Alias: W32/Lirva.C
Type: Internet Worm
Discovered: January 8, 2003
Size: 34.815 KB
Platform: Windows


Description:

Worm/Avril.B is a slight variation of Worm/Avril.A, an Internet worm that spreads through e-mail by searching for email addresses in the following files: IDX, NCH, DBX, MBX, WAB, HTML, EML, HTM, TBB and SHTML., as well as, through the use of the mIRC network.

This variant arrives through e-mail with the following characteristics:

Subject: <randomly selected from>

- Fw: Redirection error notification
- Re: Brigada Ocho Free membership
- Re: According to Purge's Statement
- Fw: Avril Lavigne - CHART ATTACK!
- Re: Reply on account for IIS-Security Breach (TFTP)
- Re: ACTR/ACCELS Transcriptions
- Re: IREX admits you to take in FSAU 2003
- Fwd: Re: Have U requested Avril Lavigne bio?
- Re: Reply on account for IFRAME-Security breach
- Fwd: Re: Reply on account for Incorrect MIME-header
- Re: Vote seniors masters - don't miss it!
- Fwd: RFC-0245 Specification requested...
- Fwd: RFC-0841 Specification requested...
- Fw: F. M. Dostoyevsky "Crime and Punishment"
- Re: Junior Achievement
- Re: Ha perduto qualque cosa signora?

Body1: AVRIL LAVIGNE - THE CHART ATTACK!

Vote fo4r Complicated!
Vote fo4r Sk8er Boi!
Vote fo4r I'm with you!
Chart attack active list:

Body2: Restricted area response team (RART)

Attachment you sent to is intended to overwrite start address at 0000:HH4F
To prevent from the further buffer overflow attacks apply the MSO-patch

Body3: Network Associates weekly report:
Microsoft has identified a security vulnerability in Microsoft® IIS 4.0 and 5.0
that is eliminated by a previously-released patch.
Customers who have applied that patch are already protected against the vulnerability
and do not need to take additional action.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so
to apply the patch immediately.

Patch is also provided to subscribed list of Microsoft® Tech Support:

Body4: AVRIL LAVIGNE - THE BEST

Avril Lavigne's popularity increases:>
SO: First, Vote on TRL for I'm With U!
Next, Update your pics database!
Chart attack active list .>.>

Attachment: <randomly selected from>

- Resume.exe
- ADialer.exe
- MSO-Patch-0071.exe
- MSO-Patch-0035.exe
- Two-Up-Secretly.exe
- Transcripts.exe
- Readme.exe
- AvrilSmiles.exe
- AvrilLavigne.exe
- Complicated.exe
- TrickerTape.exe
- Sophos.exe
- Cogito_Ergo_Sum.exe
- CERT-Vuln-Info.exe
- Sk8erBoi.exe
- IAmWiThYoU.exe
- Phantom.exe
- EntradoDePer.exe
- SiamoDiTe.exe
- BioData.exe
- ALavigne.exe

Worm/Avril.B arrives via email, mIRC, ICQ and Kazaa.

Due to an vulnerability the virus has the ability to execute itself automatically in preview pane on Microsoft Outlook. Microsoft has released a patch here:

It searches for email addresses in the following files: IDX, NCH, DBX, MBX, WAB, HTML, EML, HTM, TBB and SHTML. After it copies itself to various locations is creates the file "c:\windows\listrecp.dll" where the found email adresses are stored. It also creates a script.ini file for mIRC so it can spread through mIRC. A third file is created called "c:\windows\temp\avril-ii.inf" which contains some comments from the virus author. For example: "2002 (c) Otto von Gutenberg" and "Made in .::]|KaZAkHstaN|[::.". The virus has its own SMTP engine. If ICQ is installed the worm tries to send itself to all contacts on your list automatically. It does not matter if the sending process will finish ok, canceled, not accepted. The worm will resend the file every minute again. If Kazaa is installed the worm copies itself to its shared directory.

The directories the worm copies itself to include:

- C:\Windows\temp\avril-ii.inf
- C:\Windows\temp\download.sys
- C:\Windows\System\<random 11 characters>.exe

It also does some modifications in the file "C:\autoexec.bat" (see below):

@win \RECYCLED\0cE26cHf.exe
@win \RECYCLED\Bbh1dFeD.exe
@win \RECYCLED\31c9a1Af.exe
@win \RECYCLED\25G0466A.exe

** filenames are random.

So that it gets run each time a user restart their computer the following registry key gets added:

- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Avril Lavigne - Muse"="C:\\WINDOWS\\SYSTEM\\<11 random characters>.exe"

- HKEY_LOCAL_MACHINE\Software\OvG\Avril Lavigne
@="Done"
"PSW-Trojan"="1"

The worm is looking for the following programs and terminates them when found in memory:

- _Avp32.exe
- _avpcc.exe
- _avpm.exe
- Ackwin32.exe
- Anti-trojan.exe
- Apvxdwin.exe
- Autodown.exe
- Avconsol.exe
- Ave32.exe
- Avgctrl.exe
- Avkserv.exe
- Avp.exe
- Avp32.exe
- Avpcc.exe
- Avpdos32.exe
- Avpm.exe
- Avpmon.exe
- Avpnt.exe
- Avptc32.exe
- Avpupd.exe
- Avsched32.exe
- Avwin95.exe
- Avwupd32.exe
- Blackd.exe
- Blackice.exe
- Cfiadmin.exe
- Cfiaudit.exe
- Cfind.exe
- Claw95.exe
- Claw95ct.exe
- Cleaner.exe
- Cleaner3.exe
- Dv95.exe
- Dv95_o.exe
- Dvp95.exe
- Ecengine.exe
- Efinet32.exe
- Esafe.exe
- Espwatch.exe
- F-agnt95.exe
- Findviru.exe
- Fprot.exe
- F-prot.exe
- F-prot95.exe
- Fp-win.exe
- Frw.exe
- F-stopw.exe
- Iamapp.exe
- Iamserv.exe
- Ibmasn.exe
- Ibmavsp.exe
- Icload95.exe
- Icloadnt.exe
- Icmoon.exe
- Icssuppnt.exe
- Icsupp95.exe
- Iface.exe
- Iomon98.exe
- Jed.exe
- Kpf.exe
- Kpfw32.exe
- Lockdown2000.exe
- Lookout.exe
- Luall.exe
- Moolive.exe
- Mpftray.exe
- N32scan.exe
- Navapw32.exe
- Navlu32.exe
- Navnt.exe
- Navsched.exe
- Navw.exe
- Navw32.exe
- Navwnt.exe
- Nisum.exe
- Nmain.exe
- Normist.exe
- Nupgrade.exe
- Nvc95.exe
- Outpost.exe
- Padmin.exe
- Pavcl.exe
- Pccwin98.exe
- Pcfwallicon.exe
- Persfw.exe
- Rav7.exe
- Rav7win.exe
- Rescue.exe
- Safeweb.exe
- Scan32.exe
- Scan95.exe
- Scanpm.exe
- Scrscan.exe
- Serv95.exe
- Smc.exe
- Sphinx.exe
- Sweep95.exe
- Tbscan.exe
- Tca.exe
- Tds2-98.exe
- Tds2-nt.exe
- Vet95.exe
- Vettray.exe
- Vsecomr.exe
- Vshwin32.exe
- Vsscan40.exe
- Vsstat.exe
- Webscan.exe
- Webscanx.exe
- Wfindv32.exe
- Zonealarm.exe

If the worm finds active processes with one of the following stings inside it will also terminate these programs.

- Norton
- AVP
- Anti
- Virus
- McAfee
- anti
- virus

This variant has been modified with the ability to update itself from a list of specified websites.