Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
W32/Lirva.B, W32.Arvil.A, W32.Naith.A, Avril, Avron
Worm/Avril.A.2 makes registry entries and tries to terminate various active processes.
The email sent by the worm is in HTML format, packed with UPX.
-'Fw: Prohibited customers...'
-'Re: Brigade Ocho Free membership'
-'Re: According to Daos Summit'
-'Fw: Avril Lavigne - the best'
-'Re: Reply on account for IIS-Security'
-'Re: ACTR/ACCELS Transcriptions'
-'Re: The real estate plunger'
-'Fwd: Re: Admission procedure'
-'Re: Reply on account for IFRAME-Security breach'
-'Fwd: Re: Reply on account for Incorrect MIME-header'
-'Restricted area response team (RART)Attachment you sent to %s is intended to overwrite start address at 0000:HH4F%sTo prevent from the further buffer overflow attacks apply the MSO-patch %s'
-'Avril fans subscriptionFanList admits you to take in Avril Lavigne 2003 Billboard awards ceremonyVote for I'm with you!Admission form attached below' -'Microsoft has identified a security vulnerability in Microsoft(r); IIS 4.0and 5.0 that is eliminated by a previously-released patch.Customers who have applied that patch are already protected against thevulnerability and do not need to take additional action.Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have notalready done so to apply the patch immediately.Patch is also provided to subscribed list of Microsoft(r) Tech Support:'
Spreading over Local Area Network:
Avril searches all available windows drives and networks for infecting the computer. The worm tries to copy itself in the directory of shared net resources or drives, using random names.
Spreading over Peer-to-Peer- Network:
If Avril finds a Kazaa Client on the infected computer, it copies itself in the archive. The file name is the same as the email attachment (see above).
Spreading over Internet Chats:
If it finds mIRC on the computer, Avril changes the configuration and so the worm is able to copy itself from other Chat users.
Spreading over ICQ Networks:
After creating files, the worm searches for a file in ICQ installation folder, named "ICQMAPI.DLL". If the file is available, the worm copies it in Windows System directory. This DLL looks after ICQ Client access. If the worm can connect to ICQ, it goes through all active contacts in the users list and tries to copy itself on these. The file name is one of the above email list.
Avril.A.2 brakes off some antivirus programs and security applications. It tries to find passwords in the system and to send them to an email address. It looks for email addresses in files with the following extensions:
The worm copies itself in Windows System directory and makes the following registry entry, for automatic start:
'HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Avril Lavigne - Muse'
It also enters:
The worm periodically checks if the following processes are active and terminates them:
'AVP32.EXE' 'AVPMON.EXE' 'ZONEALARM.EXE' 'VSHWIN32.EXE' 'VET95.EXE' 'TBSCAN.EXE' 'SERV95.EXE' 'SCAN32.EXE' 'RAV7.EXE' 'NAVW.EXE' 'OUTPOST.EXE' 'NMAIN.EXE' 'NAVNT.EXE' 'MPFTRAY.EXE' 'LOCKDOWN2000.EXE' 'ICSSUPPNT.EXE' 'ICLOAD95.EXE' 'IAMAPP.EXE' 'FINDVIRU.EXE' 'F-AGNT95.EXE' 'DV95.EXE' 'DV95_O.EXE' 'CLAW95CT.EXE' 'CFIAUDIT.EXE' 'AVWUPD32.EXE' 'AVPTC32.EXE' '_AVP32.EXE' 'AVGCTRL.EXE' 'APVXDWIN.EXE' '_AVPCC.EXE' 'AVPCC.EXE' 'WFINDV32.EXE' 'VSECOMR.EXE' 'TDS2-NT.EXE' 'SWEEP95.EXE' 'SCRSCAN.EXE' 'SAFEWEB.EXE' 'PERSFW.EXE' 'NAVSCHED.EXE' 'NVC95.EXE' 'NISUM.EXE' 'NAVLU32.EXE' 'MOOLIVE.EXE' 'JED.EXE' 'ICSUPP95.EXE' 'IBMAVSP.EXE' 'FRW.EXE' 'F-STOPW.EXE' 'ESPWATCH.EXE' 'DVP95.EXE' 'CLAW95.EXE' 'CFIADMIN.EXE' 'AVWIN95.EXE' 'AVPM.EXE' 'AVP.EXE' 'AVE32.EXE' 'ANTI-TROJAN.EXE' 'WEBSCAN.EXE' 'WEBSCANX.EXE' 'VSSCAN40.EXE' 'TDS2-98.EXE' 'SPHINX.EXE' 'SCANPM.EXE' 'RESCUE.EXE' 'PCFWALLICON.EXE' 'PAVCL.EXE' 'NUPGRADE.EXE' 'NAVWNT.EXE' 'NAVAPW32.EXE' 'LUALL.EXE' 'IOMON98.EXE' 'ICMOON.EXE' 'IBMASN.EXE' 'FPROT.EXE' 'F-PROT95.EXE' 'ESAFE.EXE' 'CLEANER3.EXE' 'EFINET32.EXE' 'BLACKICE.EXE' 'AVSCHED32.EXE' 'AVPDOS32.EXE' 'AVPNT.EXE' 'AVCONSOL.EXE' 'ACKWIN32.EXE' 'VSSTAT.EXE' 'VETTRAY.EXE' 'TCA.EXE' 'SMC.EXE' 'SCAN95.EXE' 'RAV7WIN.EXE' 'PCCWIN98.EXE' 'PADMIN.EXE' 'NORMIST.EXE' 'NAVW32.EXE' 'N32SCAN.EXE' 'LOOKOUT.EXE' 'IFACE.EXE' 'ICLOADNT.EXE' 'IAMSERV.EXE' 'FP-WIN.EXE' 'F-PROT.EXE' 'ECENGINE.EXE' 'CLEANER.EXE' 'CFIND.EXE' 'BLACKD.EXE' 'AVPUPD.EXE' 'AVKSERV.EXE' 'AUTODOWN.EXE' '_AVPM.EXE' 'AVPM.EXE' 'KPFW32.EXE' 'KPF.EXE'
On the 7th, 11th and 24th of every month, the worm opens www.avril-lavigne.com in the web browser.
Description inserted by Crony Walker on Tuesday, June 15, 2004