Hello, W32/Avril.gen@MM W32/Lirva@MM WORM_LIRVA.A W32/Naith.A-mm size : 32.766 octets Discovery Date 01/07/2003 A mass mailing E-Mail and ICQ worm with a Password-Stealer as payload. It tries to terminate security software, can spread via ICQ, and drops an IRC bot script. Not yet in NOD32 DB AFAIK Cheers,
Here is a free removal tool for this badboy...Note:direct download link> This tool also removes 27 of the latest exploits you will find out there. http://updates.pandasoftware.com/pq/gen/lirva/pqremove.com ______________________- VSantivirus no. 916 - Year 7 - Thursdays 9 of January of 2003 W32/Avril.C. New variant that unloads troyano BO http://www.vsantivirus.com/avril-c.htm Name: W32/Avril.C (Lirva.C) Type: Worm of Internet Alias: W32.Lirva.C@mm Date: 8/ene/03 Platform: Windows 32-bit Size: 34.815 bytes One is a variant of the Avril and Avril.B, that propagates in massive form to traverse of the electronic mail, IRC, ICQ and KaZaa. This variant connects to the Web site of the author (web.host.kz/), and unloads the troyano "BackOrifice". Also it tries to unload another file, does not present/display in the site. It unloads the following file: "BackOrifice" (detected like "BO.Trojan Variant"), and it copy in the following location: C:\Windows\System\Bo2k.exe Soon it adds this entrance to the registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SocketListner = C:\Windows\System\Bo2k.exe It uses the Outlook and Outlook Express de Microsoft, to look for in the folders "sent Elements" and "Tray of entrance", electronic directions of which soon is sent. Also it gathers directions of the own address book of Windows (WAB), and examining documents with the following extensions: DBX EML HTM HTML IDX MBX NCH SHTML TBB The subject of the sent messages, is selected at random of the following list: Fw: Avril Lavigne - CHART ATTACK! Fw: F. M. Dostoyevsky "Crime and Punishment" Fw: Redirection error notification Fwd: Re: Have Or requested Avril Lavigne bio? Fwd: Re: Reply on account for Incorrect MIME-header Fwd: RFC-0245 Specification requested... Fwd: RFC-0841 Specification requested... Re: According to Purgés Statement Re: ACTR/ACCELS Transcriptions Re: Eight brigade Free membership Re: Is perduto qualque signora thing? Re: IREX admits you to take in FSAU 2003 Re: Junior Achievement Re: Reply on account for IFRAME-Security breach Re: Reply on account for IIS-Security Breach (TFTP) Re: Masters votes seniors - don't miss it! The attached file (the own worm), can take one from the following names: [ to azar].DOC [ to azar].TXT ADialer.exe ALavigne.exe AvrilLavigne.exe AvrilSmiles.exe BioData.exe CERT-Vuln-Info.exe Cogito_Ergo_Sum.exe Complicated.exe EntradoDePer.exe IAmWiThYoU.exe MSO-Patch-0035.exe MSO-Patch-0071.exe Phantom.exe Readme.exe Resume.exe SiamoDiTe.exe Singles.exe Sk8erBoi.exe Sophos.exe Transcripts.exe TrickerTape.exe Two-Up-Secretly.exe Like text, the message can bring one of the following ones: Text 1: Associates network weekly report: Microsoft you have identified to security vulnerability in Microsoft 5,0 4,0 IIS and that is eliminated by a previously-released patch. Customers who have applied that patch plows already protected against the vulnerability and do not need to take additional action. to apply the patch immediately. Microsoft strongly you are urgent all customers 4,0 using IIS and 5.0 who have not already donates under Patch is also provided to subscribed list of Microsoft Tech Support: Patch: Date Text 2: Restricted area response team (RART) Attachment you sent to %s is intended to overwrite start address AT 0000:HH4F To prevent from the to further buffer overflow attacks apply the MSO-patch Text 3: Avril fans subscription FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony for Vote Ím with you! Admission form attached below Text 4: Chart attack activates list: With votes fo4r Ím you! Fo4r Complicated Votes fo4r Sk8er Boi!Vote! AVRIL LAVIGNE - THE CHART ATTACK! Text 5: AVRIL LAVIGNE - THE BEST Avril Lavignés popularity increases: > UNDER: First, Votes for on TRL Ím With U! Next, Update your pics database! Chart attack activates list. >. > Text 6: Orginal Message: The worm uses its own routine smtp to be sent, so that it does not depend on the client of installed mail to do it. It uses the configuration of account smtp by defect of the infected user, data that it collects from the following branch of the registry: HKCU\Software\Microsoft\Internet Account Manager \Accounts\[Cuenta predeterminada]\SMTP Server The worm tries to be sent to all the list of contacts of the ICQ. The attached one takes the same name from some of the usuary presents in this list. The worm checks every 35 seconds the presence of any process in memory whose name agrees with some of the following list (they belong to well-known antivirus, fire-resistant, etc.), and eliminates it: _ AVP32.EXE _ AVPCC.EXE _ AVPM.EXE ACKWIN32.EXE Anti-trojan.exe APVXDWIN.EXE AUTODOWN.EXE AVCONSOL.EXE AVE32.EXE AVGCTRL.EXE AVKSERV.EXE AVP.EXE AVP32.EXE AVPCC.EXE AVPDOS32.EXE AVPM.EXE AVPMON.EXE AVPNT.EXE AVPTC32.EXE AVPUPD.EXE AVSCHED32.EXE AVWIN95.EXE AVWUPD32.EXE BLACKD.EXE BLACKICE.EXE CFIADMIN.EXE CFIAUDIT.EXE CFIND.EXE CLAW95.EXE CLAW95CT.EXE CLEANER.EXE CLEANER3.EXE DV95.EXE DV95_O.EXE DVP95.EXE ECENGINE.EXE EFINET32.EXE ESAFE.EXE ESPWATCH.EXE F-agnt95.exe FINDVIRU.EXE F-prot.exe FPROT.EXE F-prot95.exe Fp-win.exe FRW.EXE F-stopw.exe IAMAPP.EXE IAMSERV.EXE IBMASN.EXE IBMAVSP.EXE ICLOAD95.EXE ICLOADNT.EXE ICMOON.EXE ICSSUPPNT.EXE ICSUPP95.EXE IFACE.EXE IOMON98.EXE JED.EXE KPF.EXE KPFW32.EXE LOCKDOWN2000.EXE LOOKOUT.EXE LUALL.EXE MOOLIVE.EXE MPFTRAY.EXE N32SCAN.EXE NAVAPW32.EXE NAVLU32.EXE NAVNT.EXE NAVSCHED.EXE NAVW.EXE NAVW32.EXE NAVWNT.EXE NISUM.EXE NMAIN.EXE NORMIST.EXE NUPGRADE.EXE NVC95.EXE OUTPOST.EXE PADMIN.EXE PAVCL.EXE PCCWIN98.EXE PCFWALLICON.EXE PERSFW.EXE RAV7.EXE RAV7WIN.EXE RESCUE.EXE SAFEWEB.EXE SCAN32.EXE SCAN95.EXE SCANPM.EXE SCRSCAN.EXE SERV95.EXE SMC.EXE SPHINX.EXE SWEEP95.EXE TBSCAN.EXE TCA.EXE Tds2-98.exe Tds2-nt.exe VET95.EXE VETTRAY.EXE VSECOMR.EXE VSHWIN32.EXE VSSCAN40.EXE VSSTAT.EXE WEBSCAN.EXE WEBSCANX.EXE WFINDV32.EXE ZONEALARM.EXE Also it will try to finish any application in memory whose window contains some of the names of the following list: anti Anti AVP McAfee Norton virus Virus The same worm copy to if in the folders \Windows\System32 and \Windows\System, with names of 11 at random selected characters. For example: C:\Windows\System\A3áAAAgbab.EXE C:\Windows\System32\cëdc5åEff.EXE Also it is added to the registry, to autoejecutar itself from some of those archives, whenever Windows is reinitiated: HKLM\Software\Microsoft\Windows\CurrentVersion\Run "Avril Lavigne - MUSE" = "C:\Windows\System\cëdc5åEff.EXE" Copies of the worm in the folder of temporary archives with previous names are created such. For example: C:\Windows\TEMP\A3áAAAgbab.EXE C:\Windows\TEMP\cëdc5åEff.EXE Also it creates a file with the same name of one of the associates received with the message, and another one with the same name but extension TFT, for example: C:\Windows\TEMP\AvrilLavigne.exe C:\Windows\TEMP\AvrilLavigne.TFT Soon it creates four copies of if same, with names at random, within the directory of the recycling wastebasket, and it adds a line aiming at one of them in file AUTOEXEC.BAT, for example: @win \RECYCLED\FF177Fe6.exe Also avril-ii.inf "in the directory is created a called file" \Windows\TEMP, that single contains a message of the author of the worm. Also copy in the folder of shared files of the KaZaa with some of the names used in the associates to the messages. The presence of the KaZaa and the location of its shared folder, obtain it from the following entrance: HKEY_CURRENT_USER\Software\KaZaA\Transfer\DlDir0 The virus looks for in addition the presence to bookstore ICQMAPI.DLL to determine the location of program ICQ and its archives, examining the following branch of the registry: HKEY_LOCAL_MACHINE\Microsoft\Windows\CurrentVersion \ App Paths\ICQ.EXE\Path It uses functions API of the ICQ to be sent to if same to all the list of contacts. It creates in addition a file SCRIPT.INI in the folder to the client of IRC, mIRC, with the instructions to propagate to all the users who participate in the same channel of chat. When the connection takes place, the worm forces the victim to connect to the channel "# avrillavigne". If the installed version of Windows is NT, 2000 or XP, the worm are registered to if same like a service (available for all the users). The worm also examines if the computer is connected to a network. If it is not it, it will try to connect to Internet using the telephone access to networks (DUN), and the conectoide by defect. In order to prevent the infection, the own worm must implemented "mutex", the presence of the following key in the registry: HKEY_LOCAL_MACHINE\Software\OvG "Avril Lavigne" = "AVRIL_LAVIGNE_LET_GO" If you create key happiness, can come up to become infected. Of course, it does not have to be taken on approval like a protection from everything, but aid if is complemented it with the policy of always, antivirus to the day, not to open associates nonasked for, etc. The worm has a routine of robbery of passwords, which obtain from the cache of passwords of Windows, and soon it sends to the direction of the supposed author: "otto_psws@smtp.ru". If the worm executes day 7, 11 or 24 of any month, a routine that opens a window of the used navigator, with the following direction activates (official page of the singer Avril Lavigne): http://www.avril-lavigne.com Soon, text "AVRIL_LAVIGNE_LET_GO - MY_MUSE 2002 (c) Otto von Gutenberg "is unfolded in continuous form in the screen of the monitor, next to a graphical effect of geometric figures of diverse colors that cover all the screen. This will force most of the times to extinguish the hot computer in retaking the control, with the consequent risk of losing the information nonstored still in the disc. The worm uses in some cases label IFRAME to operate the fault that allows that the associate executes itself by the single act to read or to visualize the message (ms01-020 Iframe exploit). In other occasions, the text of the message is pure HTML without label IFRAME (the infection happens single when opening the associate with a double click). Deshabilitar the shared folders of KaZaa It is recommended to deshabilitar the folders shared of this program, until to have cleared the worm of the system, to prevent his propagation. For it, asi comes ': 1. Execute KaZaa. 2. Select in the bar of the menu the option: "Tools" > "Options". 3. Deshabilite the folders shared (Shared Kazaa folders) under the tongue-piece "Traffic". 4. Pinche en "Aceptar", etc.
Thanks John. btw: Win32/Lirva.B, Win32/Lirva.C are covered in the latest database update from NOD32 . regards. paul