English
Deutsch
Francais
Español
Italian
Home
Virus Info
Worm/Avril.B
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
Worm/Avril.B - Worm
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Alias:
Worm/Naith.B
Type:
Worm
Size:
Size 34,815 bytes
Origin:
unknown
Date:
01-07-2003
Damage:
VDF Version:
Danger:
Low
Distribution:
Medium
Symptoms
On the 7th and 24th of the month a picture appears on the Windows desktop and the URL http://www.avril-IXXXXXe.de/ is run with the standard browser. Terminates running processes, antivirus and firewalls applications.
Distribution
Worm/Avril.B sends itself by email, using its SMTP engine. It spreads itself with the IRC-program mIRC, ICQ, file-sharing program KaZaA and mapped network drives.
Technical Details
Worm/Avril.B (34,815 bytes) has its own SMTP engine. Therefore it does not need Outlook or any other email program, to send its emails. An email sent by Worm/Avril.B can look like this:
Subject:
Fw: Redirection error notification
Body:
AVRIL LAVIGNE - THE CHART ATTACK!
Vote fo4r Complicated!
Vote fo4r Sk8er Boi!
Vote fo4r I'm with you!
Chart attack active list:
Attachment:
AvrilSmiles.exe
The email components can look very differently. The Worm chooses from the
following lists its subject, body and attachment name:
Subjects:
Fw: Redirection error notification
Re: Brigada Ocho Free membership
Re: According to Purge's Statement
Fw: Avril Lavigne - CHART ATTACK!
Re: Reply on account for IIS-Security Breach (TFTP)
Re: ACTR/ACCELS Transcriptions
Re: IREX admits you to take in FSAU 2003
Fwd: Re: Have U requested Avril Lavigne bio?
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header
Re: Vote seniors masters - don't miss it!
Fwd: RFC-0245 Specification requested...
Fwd: RFC-0841 Specification requested...
Fw: F. M. Dostoyevsky "Crime and Punishment"
Re: Junior Achievement
Re: Ha perduto qualque cosa signora?
Bodies:
Body1:
AVRIL LAVIGNE - THE CHART ATTACK!
Vote fo4r Complicated!
Vote fo4r Sk8er Boi!
Vote fo4r I'm with you!
Chart attack active list:
Body2:
Restricted area response team (RART)
----------------------------------------------------------
Attachment you sent to is intended to overwrite start address at 0000:HH4F
To prevent from the further buffer overflow attacks apply the MSO-patch
Body3:
Network Associates weekly report:
Microsoft has identified a security vulnerability in Microsoft® IIS 4.0 and 5.0
that is eliminated by a previously-released patch.
Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so to apply the patch immediately.
Patch is also provided to subscribed list of Microsoft® Tech Support:
Body4:
AVRIL LAVIGNE - THE BEST
Avril Lavigne's popularity increases:>
SO: First, Vote on TRL for I'm With U!
Next, Update your pics database!
Chart attack active list .>.>
Orginal Message:
Attachments:
Resume.exe, ADialer.exe, MSO-Patch-0071.exe, MSO-Patch-0035.exe, Two-Up-Secretly.exe Transcripts.exe, Readme.exe, AvrilSmiles.exe, AvrilLavigne.exe, Complicated.exe, TrickerTape.exe, Sophos.exe, Cogito_Ergo_Sum.exe, CERT-Vuln-Info.exe, Sk8erBoi.exe, IAmWiThYoU.exe, Phantom.exe, EntradoDePer.exe, SiamoDiTe.exe, BioData.exe or ALavigne.exe
Worm/Avril.B can run directly from Outlook Preview, without opening the
attachment. For this, it takes advantage of a security hole that has long existed in Outlook. Microsoft has prepared a patch:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
When the attachment is activated, Worm/Avril.B copies itself in the following
directories:
C:\Windows\Temp\avril-ii.inf
C:\Windows\download.sys
C:\Windows\System\<%random characters%>.exe
C:\RECYCLED\<%random characters%>.exe
C:\RECYCLED\<%random characters%>.exe
C:\RECYCLED\<%random characters%>.exe
These files have different names, composed of random characters. The worm will be activated by the next computer start, because of the registry entry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"Avril Lavigne - Muse"="C:\\WINDOWS\\SYSTEM\\
7h827fg6b6c.EXE"
And Autoexec.bat enters the following lines:
@win \RECYCLED\<8 random characters >.exe
@win \RECYCLED\<8 random characters >.exe
@win \RECYCLED\<8 random characters >.exe
@win \RECYCLED\<8 random characters >.exe
Using a second registry entry it can be seen if the worm has been activated:
[HKEY_LOCAL_MACHINE\Software\OvG\Avril Lavigne]
"@"="Done"
"PSW-Trojan"="1"
If the file-sharing program KaZaA, ICQ or IRC Client mIRC are installed on the infected system, Worm/Avril.B tries to use them to send its files. On the 7th and 24th of the month a picture appears on the Windows desktop and the URL http://www.avril-IXXXXXe.de/ is run with the standard browser. If one of the following processes is listed in the Task list, Worm/Avril.B will terminate it:
* AVP32.EXE
* AVPMON.EXE
* ZONEALARM.EXE
* VSHWIN32.EXE
* VET95.EXE
* TBSCAN.EXE
* SERV95.EXE
* SCAN32.EXE
* RAV7.EXE
* NAVW.EXE
* OUTPOST.EXE
* NMAIN.EXE
* NAVNT.EXE
* MPFTRAY.EXE
* LOCKDOWN2000.EXE
* ICSSUPPNT.EXE
* ICLOAD95.EXE
* IAMAPP.EXE
* FINDVIRU.EXE
* F-AGNT95.EXE
* DV95.EXE
* DV95_O.EXE
* CLAW95CT.EXE
* CFIAUDIT.EXE
* AVWUPD32.EXE
* AVPTC32.EXE
* _AVP32.EXE
* AVGCTRL.EXE
* APVXDWIN.EXE
* _AVPCC.EXE
* AVPCC.EXE
* WFINDV32.EXE
* VSECOMR.EXE
* TDS2-NT.EXE
* SWEEP95.EXE
* SCRSCAN.EXE
* SAFEWEB.EXE
* JED.EXE
* ICSUPP95.EXE
* IBMAVSP.EXE
* FRW.EXE
* F-STOPW.EXE
* ESPWATCH.EXE
* DVP95.EXE
* CLAW95.EXE
* CFIADMIN.EXE
* AVWIN95.EXE
* AVPM.EXE
* AVP.EXE
* AVE32.EXE
* ANTI-TROJAN.EXE
* WEBSCAN.EXE
* WEBSCANX.EXE
* VSSCAN40.EXE
* TDS2-98.EXE
* SPHINX.EXE
* SCANPM.EXE
* RESCUE.EXE
* PCFWALLICON.EXE
* PAVCL.EXE
* NUPGRADE.EXE
* NAVWNT.EXE
* NAVAPW32.EXE
* LUALL.EXE
* IOMON98.EXE
* ICMOON.EXE
* IBMASN.EXE
* FPROT.EXE
* F-PROT95.EXE
* ESAFE.EXE
* CLEANER3.EXE
* EFINET32.EXE
* BLACKICE.EXE
* AVSCHED32.EXE
* AVCONSOL.EXE
* ACKWIN32.EXE
* VSSTAT.EXE
* VETTRAY.EXE
* TCA.EXE
* SMC.EXE
* SCAN95.EXE
* RAV7WIN.EXE
* PCCWIN98.EXE
* PADMIN.EXE
* NORMIST.EXE
* NAVW32.EXE
* N32SCAN.EXE
* LOOKOUT.EXE
* IFACE.EXE
* ICLOADNT.EXE
* IAMSERV.EXE
* FP-WIN.EXE
* F-PROT.EXE
* ECENGINE.EXE
* CLEANER.EXE
* CFIND.EXE
* BLACKD.EXE
* AVPUPD.EXE
* AVKSERV.EXE
* AUTODOWN.EXE
* _AVPM.EXE
* AVPM.EXE
* KPFW32.EXE
* KPF.EXE PERSFW.EXE
* NAVSCHED.EXE
* NVC95.EXE
* NISUM.EXE
* NAVLU32.EXE
* MOOLIVE.EXE AVPDOS32.EXE
* AVPNT.EXE
All the programs that have the following strings in their names will also be ended: Norton, AVP, Anti, Virus, McAfee, anti, virus.
See a brief description
here
.
Description inserted by Crony Walker on Tue, 15 Jun 2004 14:00 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
TR/Crypt.CFI.Gen
W32/Elkern.C
Worm/Mytob.AD
Worm/Mytob.AT
Worm/Bagle.FJ
TR/Drop.MuJoin.AF
PHISH/CrediCard
TR/Autorun.afj
BDS/Agent.qfh.1
TR/Dldr.FraudLoa.NC
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Print this page
.gif)
