Worm/Avril.A - Worm

See also

Full description

Alias:	Worm/Naith.A
Type:	Worm
Size:	32,766 bytes
Origin:	unknown
Date:	07-01-2003
Damage:
VDF Version:
Danger:	Low
Distribution:	Medium

Symptoms- On the 7th and 24th of the month a picture appears on the Windows desktop and the URL http://www.avril-IXXXXXe.de/ is run with the standard browser.
- Terminates running processes, antivirus and firewalls applications, for example.

DistributionWorm/Avril.A sends itself by email, using its SMTP engine and the IRC-program mIRC.

Technical DetailsWorm/Avril.A (32,766 bytes) has its own SMTP engine. Therefore it does not need Outlook or any other email program, to send its emails. An email sent by Worm/Avril.A can look like this:

Subject:
Re: The real estate plunger

Body:
Avril fans subscription
FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony
Vote for I'm with you!
Admission form attached below

Attachment:
IAmWiThYoU.exe

The email components can look very differently. The worm chooses from the following lists its subject, body and attachment name:

Subjects:

Fw: Avril Lavigne - the best
or: Fw: Prohibited customers...
or: Fwd: Re: Admission procedure
or: Fwd: Re: Reply on account for Incorrect MIME-header
or: Re: According to Daos Summit
or: Re: ACTR/ACCELS Transcriptions
or: Re: Brigade Ocho Free membership
or: Re: Reply on account for IFRAME-Security breach
or: Re: Reply on account for IIS-Security
or: Re: The real estate plunger

Bodies:

Body1:
Avril fans subscription
FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony
Vote for I'm with you!
Admission form attached below

Body2:
Microsoft has identified a security vulnerability in Microsoft® IIS 4.0 and 5.0
that is eliminated by a previously-released patch. Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so to apply the patch immediately. Patch is also provided to subscribed list of Microsoft® Tech Support:
Patch:
Date :

Body3:
Restricted area response team (RART)
-----------------------------------------------------------
Attachment you sent to Harry H. is intended to overwrite start address at
0000:HH4F
To prevent from the further buffer overflow attacks apply the MSO-patch
-----------------------------------------------------------

Attachments:

AvrilLavigne.exe
or: AvrilSmiles.exe
or: CERT-Vuln-Info.exe
or: Cogito_Ergo_Sum.exe
or: Complicated.exe
or: Download.exe
or: IAmWiThYoU.exe
or: MSO-Patch-0035.exe
or: MSO-Patch-0071.exe
or: Readme.exe
or: Resume.exe
or: Singles.exe
or: Sk8erBoi.exe
or: Sophos.exe
or: Transcripts.exe
or: Two-Up-Secretly.exe

When the attachment is activated, Worm/Avril.A copies itself in the following directories:

* C:\Windows\Temp\AvrilSmiles.exe
* C:\Windows\Temp\<8 random characters>.TFT
* C:\RECYCLED\<8 random characters >.exe
* C:\RECYCLED\<8 random characters >.exe
* C:\RECYCLED\<8 random characters >.exe
* C:\RECYCLED\<8 random characters >.exe

These files have different names, composed of random characters. The following files are inserted:

* C:\Windows\Temp\avril-ii.inf
* C:\Windows\Listrecp.dll
* C:\Mirc\Script.ini

The worm will be activated by the next computer start, because of the registry entry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"Avril Lavigne - Muse"="C:\\WINDOWS\\SYSTEM\\
7h827fg6b6c.EXE"

And Autoexec.bat enters the following lines:

@win \RECYCLED\<8 random characters >.exe
@win \RECYCLED\<8 random characters >.exe
@win \RECYCLED\<8 random characters >.exe
@win \RECYCLED\<8 random characters >.exe

Using a second registry entry it can be seen if the worm has been activated:

[HKEY_LOCAL_MACHINE\Software\OvG\Avril Lavigne]
"@"="Done"
"PSW-Trojan"="1"

If the file-sharing program KaZaA, ICQ or IRC Client mIRC are installed on the infected system, Worm/Avril.A tries to use them to send its files. On the 7th and 24th of the month a picture appears on the Windows desktop and the URL http://www.avril-IXXXXXe.de/ is run with the standard browser.

If one of the following processes is listed in the Task list, Worm/Avril.A will terminate it:

* AVP32.EXE
* AVPMON.EXE
* ZONEALARM.EXE
* VSHWIN32.EXE
* VET95.EXE
* TBSCAN.EXE
* SERV95.EXE
* SCAN32.EXE
* RAV7.EXE
* NAVW.EXE
* OUTPOST.EXE
* NMAIN.EXE
* NAVNT.EXE
* MPFTRAY.EXE
* LOCKDOWN2000.EXE
* ICSSUPPNT.EXE
* ICLOAD95.EXE
* IAMAPP.EXE
* FINDVIRU.EXE
* F-AGNT95.EXE
* DV95.EXE
* DV95_O.EXE
* CLAW95CT.EXE
* CFIAUDIT.EXE
* AVWUPD32.EXE
* AVPTC32.EXE
* _AVP32.EXE
* AVGCTRL.EXE
* APVXDWIN.EXE
* _AVPCC.EXE
* AVPCC.EXE
* WFINDV32.EXE
* VSECOMR.EXE
* TDS2-NT.EXE
* SWEEP95.EXE
* SCRSCAN.EXE
* SAFEWEB.EXE
* JED.EXE
* ICSUPP95.EXE
* IBMAVSP.EXE
* FRW.EXE
* F-STOPW.EXE
* ESPWATCH.EXE
* DVP95.EXE
* CLAW95.EXE
* CFIADMIN.EXE
* AVWIN95.EXE
* AVPM.EXE
* AVP.EXE
* AVE32.EXE
* ANTI-TROJAN.EXE
* WEBSCAN.EXE
* WEBSCANX.EXE
* VSSCAN40.EXE
* TDS2-98.EXE
* SPHINX.EXE
* SCANPM.EXE
* RESCUE.EXE
* PCFWALLICON.EXE
* PAVCL.EXE
* NUPGRADE.EXE
* NAVWNT.EXE
* NAVAPW32.EXE
* LUALL.EXE
* IOMON98.EXE
* ICMOON.EXE
* IBMASN.EXE
* FPROT.EXE
* F-PROT95.EXE
* ESAFE.EXE
* CLEANER3.EXE
* EFINET32.EXE
* BLACKICE.EXE
* AVSCHED32.EXE
* AVCONSOL.EXE
* ACKWIN32.EXE
* VSSTAT.EXE
* VETTRAY.EXE
* TCA.EXE
* SMC.EXE
* SCAN95.EXE
* RAV7WIN.EXE
* PCCWIN98.EXE
* PADMIN.EXE
* NORMIST.EXE
* NAVW32.EXE
* N32SCAN.EXE
* LOOKOUT.EXE
* IFACE.EXE
* ICLOADNT.EXE
* IAMSERV.EXE
* FP-WIN.EXE
* F-PROT.EXE
* ECENGINE.EXE
* CLEANER.EXE
* CFIND.EXE
* BLACKD.EXE
* AVPUPD.EXE
* AVKSERV.EXE
* AUTODOWN.EXE
* _AVPM.EXE
* AVPM.EXE
* KPFW32.EXE
* KPF.EXE
* PERSFW.EXE
* NAVSCHED.EXE
* NVC95.EXE
* NISUM.EXE
* NAVLU32.EXE
* MOOLIVE.EXE
* AVPDOS32.EXE
* AVPNT.EXE

See a brief description here.

Description inserted by Crony Walker on Tue, 15 Jun 2004 14:00 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back