Naith

Hello,

W32/Avril.gen@MM
W32/Lirva@MM
WORM_LIRVA.A W32/Naith.A-mm

size :
32.766 octets

Discovery Date 01/07/2003
A mass mailing E-Mail and ICQ worm with a Password-Stealer as payload.

It tries to terminate security software, can spread via ICQ, and drops an IRC bot script.

Not yet in NOD32 DB AFAIK

Cheers,

 

Here is a free removal tool for this badboy...Note:direct download link> This tool also removes 27 of the latest exploits you will find out there.

http://updates.pandasoftware.com/pq/gen/lirva/pqremove.com
______________________-

VSantivirus no. 916 - Year 7 - Thursdays 9 of January of 2003

W32/Avril.C. New variant that unloads troyano BO
http://www.vsantivirus.com/avril-c.htm

Name: W32/Avril.C (Lirva.C)
Type: Worm of Internet
Alias: W32.Lirva.C@mm
Date: 8/ene/03
Platform: Windows 32-bit
Size: 34.815 bytes

One is a variant of the Avril and Avril.B, that propagates in massive form to traverse
of the electronic mail, IRC, ICQ and KaZaa.

This variant connects to the Web site of the author (web.host.kz/), and unloads the troyano "BackOrifice". Also it tries to unload another file, does not present/display in the site.

It unloads the following file: "BackOrifice" (detected like "BO.Trojan Variant"), and it copy in the following location:
C:\Windows\System\Bo2k.exe

Soon it adds this entrance to the registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SocketListner = C:\Windows\System\Bo2k.exe

It uses the Outlook and Outlook Express de Microsoft, to look for in the folders "sent Elements" and "Tray of entrance", electronic directions of which soon is sent.

Also it gathers directions of the own address book of Windows (WAB), and examining documents with the following extensions:

DBX
EML
HTM
HTML
IDX
MBX
NCH
SHTML
TBB

The subject of the sent messages, is selected at random of the following list:

Fw: Avril Lavigne - CHART ATTACK!
Fw: F. M. Dostoyevsky "Crime and Punishment"
Fw: Redirection error notification
Fwd: Re: Have Or requested Avril Lavigne bio?
Fwd: Re: Reply on account for Incorrect MIME-header
Fwd: RFC-0245 Specification requested...
Fwd: RFC-0841 Specification requested...
Re: According to Purgés Statement
Re: ACTR/ACCELS Transcriptions
Re: Eight brigade Free membership
Re: Is perduto qualque signora thing?
Re: IREX admits you to take in FSAU 2003
Re: Junior Achievement
Re: Reply on account for IFRAME-Security breach
Re: Reply on account for IIS-Security Breach (TFTP)
Re: Masters votes seniors - don't miss it!

The attached file (the own worm), can take one from the following names:

[ to azar].DOC
[ to azar].TXT
ADialer.exe
ALavigne.exe
AvrilLavigne.exe
AvrilSmiles.exe
BioData.exe
CERT-Vuln-Info.exe
Cogito_Ergo_Sum.exe
Complicated.exe
EntradoDePer.exe
IAmWiThYoU.exe
MSO-Patch-0035.exe
MSO-Patch-0071.exe
Phantom.exe
Readme.exe
Resume.exe
SiamoDiTe.exe
Singles.exe
Sk8erBoi.exe
Sophos.exe
Transcripts.exe
TrickerTape.exe
Two-Up-Secretly.exe

Like text, the message can bring one of the following ones:

Text 1:

Associates network weekly report: Microsoft you have
identified to security vulnerability in Microsoft
5,0 4,0 IIS and that is eliminated by a
previously-released patch. Customers who have
applied that patch plows already protected against
the vulnerability and do not need to take additional
action. to apply the patch immediately. Microsoft
strongly you are urgent all customers 4,0 using IIS and 5.0
who have not already donates under Patch is also provided
to subscribed list of Microsoft Tech Support:
Patch: Date

Text 2:

Restricted area response team (RART) Attachment you
sent to %s is intended to overwrite start address AT
0000:HH4F To prevent from the to further buffer overflow
attacks apply the MSO-patch

Text 3:

Avril fans subscription FanList admits you to take in
Avril Lavigne 2003 Billboard awards ceremony for Vote
Ím with you! Admission form attached below

Text 4:

Chart attack activates list: With votes fo4r Ím you!
Fo4r Complicated Votes fo4r Sk8er Boi!Vote!
AVRIL LAVIGNE - THE CHART ATTACK!

Text 5:

AVRIL LAVIGNE - THE BEST Avril Lavignés popularity
increases: > UNDER: First, Votes for on TRL Ím With U!
Next, Update your pics database! Chart attack activates
list. >. >

Text 6:

Orginal Message:

The worm uses its own routine smtp to be sent, so that it does not depend on the client of installed mail to do it.

It uses the configuration of account smtp by defect of the infected user, data that it collects from the following branch of the registry:

HKCU\Software\Microsoft\Internet Account Manager
\Accounts\[Cuenta predeterminada]\SMTP Server

The worm tries to be sent to all the list of contacts of the ICQ. The attached one takes the same name from some of the usuary presents in this list.

The worm checks every 35 seconds the presence of any process in memory whose name agrees with some of the following list (they belong to well-known antivirus, fire-resistant, etc.), and eliminates it:

_ AVP32.EXE
_ AVPCC.EXE
_ AVPM.EXE
ACKWIN32.EXE
Anti-trojan.exe
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPMON.EXE
AVPNT.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFIND.EXE
CLAW95.EXE
CLAW95CT.EXE
CLEANER.EXE
CLEANER3.EXE
DV95.EXE
DV95_O.EXE
DVP95.EXE
ECENGINE.EXE
EFINET32.EXE
ESAFE.EXE
ESPWATCH.EXE
F-agnt95.exe
FINDVIRU.EXE
F-prot.exe
FPROT.EXE
F-prot95.exe
Fp-win.exe
FRW.EXE
F-stopw.exe
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMOON.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
IFACE.EXE
IOMON98.EXE
JED.EXE
KPF.EXE
KPFW32.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
N32SCAN.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVSCHED.EXE
NAVW.EXE
NAVW32.EXE
NAVWNT.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NUPGRADE.EXE
NVC95.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
Tds2-98.exe
Tds2-nt.exe
VET95.EXE
VETTRAY.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSCAN40.EXE
VSSTAT.EXE
WEBSCAN.EXE
WEBSCANX.EXE
WFINDV32.EXE
ZONEALARM.EXE

Also it will try to finish any application in memory whose window contains some of the names of the following list:

anti
Anti
AVP
McAfee
Norton
virus
Virus

The same worm copy to if in the folders \Windows\System32 and \Windows\System, with names of 11 at random selected characters. For example:

C:\Windows\System\A3áAAAgbab.EXE
C:\Windows\System32\cëdc5åEff.EXE

Also it is added to the registry, to autoejecutar itself from some of those archives, whenever Windows is reinitiated:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"Avril Lavigne - MUSE" = "C:\Windows\System\cëdc5åEff.EXE"

Copies of the worm in the folder of temporary archives with previous names are created such. For example:

C:\Windows\TEMP\A3áAAAgbab.EXE
C:\Windows\TEMP\cëdc5åEff.EXE

Also it creates a file with the same name of one of the associates received with the message, and another one with the same name but extension TFT, for example:

C:\Windows\TEMP\AvrilLavigne.exe
C:\Windows\TEMP\AvrilLavigne.TFT

Soon it creates four copies of if same, with names at random, within the directory of the recycling wastebasket, and it adds a line aiming at one of them in file AUTOEXEC.BAT, for example:

@win \RECYCLED\FF177Fe6.exe

Also avril-ii.inf "in the directory is created a called file" \Windows\TEMP, that single contains a message of the author of the worm.

Also copy in the folder of shared files of the KaZaa with some of the names used in the associates to the messages. The presence of the KaZaa and the location of its shared folder, obtain it from the following entrance:

HKEY_CURRENT_USER\Software\KaZaA\Transfer\DlDir0

The virus looks for in addition the presence to bookstore ICQMAPI.DLL to determine the location of program ICQ and its archives, examining the following branch of the registry:

HKEY_LOCAL_MACHINE\Microsoft\Windows\CurrentVersion \
App Paths\ICQ.EXE\Path

It uses functions API of the ICQ to be sent to if same to all the list of contacts.

It creates in addition a file SCRIPT.INI in the folder to the client of IRC, mIRC, with the instructions to propagate to all the users who participate in the same channel of chat. When the connection takes place, the worm forces the victim to connect to the channel "# avrillavigne".

If the installed version of Windows is NT, 2000 or XP, the worm are registered to if same like a service (available for all the users).

The worm also examines if the computer is connected to a network. If it is not it, it will try to connect to Internet using the telephone access to networks (DUN), and the conectoide by defect.

In order to prevent the infection, the own worm must implemented "mutex", the presence of the following key in the registry:

HKEY_LOCAL_MACHINE\Software\OvG
"Avril Lavigne" = "AVRIL_LAVIGNE_LET_GO"

If you create key happiness, can come up to become infected. Of course, it does not have to be taken on approval like a protection from everything, but aid if is complemented it with the policy of always, antivirus to the day, not to open associates nonasked for, etc.

The worm has a routine of robbery of passwords, which obtain from the cache of passwords of Windows, and soon it sends to the direction of the supposed author: "otto_psws@smtp.ru".

If the worm executes day 7, 11 or 24 of any month, a routine that opens a window of the used navigator, with the following direction activates (official page of the singer Avril Lavigne):

http://www.avril-lavigne.com

Soon, text "AVRIL_LAVIGNE_LET_GO - MY_MUSE 2002 (c) Otto von Gutenberg "is unfolded in continuous form in the screen of the monitor, next to a graphical effect of geometric figures of diverse colors that cover all the screen. This will force most of the times to extinguish the hot computer in retaking the control, with the consequent risk of losing the information nonstored still in the disc.

The worm uses in some cases label IFRAME to operate the fault that allows that the associate executes itself by the single act to read or to visualize the message (ms01-020 Iframe exploit).

In other occasions, the text of the message is pure HTML without label IFRAME (the infection happens single when opening the associate with a double click).


Deshabilitar the shared folders of KaZaa

It is recommended to deshabilitar the folders shared of this program, until to have cleared the worm of the system, to prevent his propagation.

For it, asi comes ':

1. Execute KaZaa.

2. Select in the bar of the menu the option: "Tools" > "Options".

3. Deshabilite the folders shared (Shared Kazaa folders) under the tongue-piece "Traffic".

4. Pinche en "Aceptar", etc.