Naith

Discussion in 'malware problems & news' started by JacK, Jan 7, 2003.

Thread Status:
Not open for further replies.
  1. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    W32/Avril.gen@MM
    W32/Lirva@MM
    WORM_LIRVA.A W32/Naith.A-mm

    size :
    32.766 octets

    Discovery Date 01/07/2003
    A mass mailing E-Mail and ICQ worm with a Password-Stealer as payload.

    It tries to terminate security software, can spread via ICQ, and drops an IRC bot script.

    Not yet in NOD32 DB AFAIK

    Cheers,
     
  2. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Here is a free removal tool for this badboy...Note:direct download link> This tool also removes 27 of the latest exploits you will find out there.

    http://updates.pandasoftware.com/pq/gen/lirva/pqremove.com
    ______________________-

    VSantivirus no. 916 - Year 7 - Thursdays 9 of January of 2003

    W32/Avril.C. New variant that unloads troyano BO
    http://www.vsantivirus.com/avril-c.htm

    Name: W32/Avril.C (Lirva.C)
    Type: Worm of Internet
    Alias: W32.Lirva.C@mm
    Date: 8/ene/03
    Platform: Windows 32-bit
    Size: 34.815 bytes

    One is a variant of the Avril and Avril.B, that propagates in massive form to traverse
    of the electronic mail, IRC, ICQ and KaZaa.

    This variant connects to the Web site of the author (web.host.kz/), and unloads the troyano "BackOrifice". Also it tries to unload another file, does not present/display in the site.

    It unloads the following file: "BackOrifice" (detected like "BO.Trojan Variant"), and it copy in the following location:
    C:\Windows\System\Bo2k.exe

    Soon it adds this entrance to the registry:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    SocketListner = C:\Windows\System\Bo2k.exe

    It uses the Outlook and Outlook Express de Microsoft, to look for in the folders "sent Elements" and "Tray of entrance", electronic directions of which soon is sent.

    Also it gathers directions of the own address book of Windows (WAB), and examining documents with the following extensions:

    DBX
    EML
    HTM
    HTML
    IDX
    MBX
    NCH
    SHTML
    TBB

    The subject of the sent messages, is selected at random of the following list:

    Fw: Avril Lavigne - CHART ATTACK!
    Fw: F. M. Dostoyevsky "Crime and Punishment"
    Fw: Redirection error notification
    Fwd: Re: Have Or requested Avril Lavigne bio?
    Fwd: Re: Reply on account for Incorrect MIME-header
    Fwd: RFC-0245 Specification requested...
    Fwd: RFC-0841 Specification requested...
    Re: According to Purgés Statement
    Re: ACTR/ACCELS Transcriptions
    Re: Eight brigade Free membership
    Re: Is perduto qualque signora thing?
    Re: IREX admits you to take in FSAU 2003
    Re: Junior Achievement
    Re: Reply on account for IFRAME-Security breach
    Re: Reply on account for IIS-Security Breach (TFTP)
    Re: Masters votes seniors - don't miss it!

    The attached file (the own worm), can take one from the following names:

    [ to azar].DOC
    [ to azar].TXT
    ADialer.exe
    ALavigne.exe
    AvrilLavigne.exe
    AvrilSmiles.exe
    BioData.exe
    CERT-Vuln-Info.exe
    Cogito_Ergo_Sum.exe
    Complicated.exe
    EntradoDePer.exe
    IAmWiThYoU.exe
    MSO-Patch-0035.exe
    MSO-Patch-0071.exe
    Phantom.exe
    Readme.exe
    Resume.exe
    SiamoDiTe.exe
    Singles.exe
    Sk8erBoi.exe
    Sophos.exe
    Transcripts.exe
    TrickerTape.exe
    Two-Up-Secretly.exe

    Like text, the message can bring one of the following ones:

    Text 1:

    Associates network weekly report: Microsoft you have
    identified to security vulnerability in Microsoft
    5,0 4,0 IIS and that is eliminated by a
    previously-released patch. Customers who have
    applied that patch plows already protected against
    the vulnerability and do not need to take additional
    action. to apply the patch immediately. Microsoft
    strongly you are urgent all customers 4,0 using IIS and 5.0
    who have not already donates under Patch is also provided
    to subscribed list of Microsoft Tech Support:
    Patch: Date

    Text 2:

    Restricted area response team (RART) Attachment you
    sent to %s is intended to overwrite start address AT
    0000:HH4F To prevent from the to further buffer overflow
    attacks apply the MSO-patch

    Text 3:

    Avril fans subscription FanList admits you to take in
    Avril Lavigne 2003 Billboard awards ceremony for Vote
    Ím with you! Admission form attached below

    Text 4:

    Chart attack activates list: With votes fo4r Ím you!
    Fo4r Complicated Votes fo4r Sk8er Boi!Vote!
    AVRIL LAVIGNE - THE CHART ATTACK!

    Text 5:

    AVRIL LAVIGNE - THE BEST Avril Lavignés popularity
    increases: > UNDER: First, Votes for on TRL Ím With U!
    Next, Update your pics database! Chart attack activates
    list. >. >

    Text 6:

    Orginal Message:

    The worm uses its own routine smtp to be sent, so that it does not depend on the client of installed mail to do it.

    It uses the configuration of account smtp by defect of the infected user, data that it collects from the following branch of the registry:

    HKCU\Software\Microsoft\Internet Account Manager
    \Accounts\[Cuenta predeterminada]\SMTP Server

    The worm tries to be sent to all the list of contacts of the ICQ. The attached one takes the same name from some of the usuary presents in this list.

    The worm checks every 35 seconds the presence of any process in memory whose name agrees with some of the following list (they belong to well-known antivirus, fire-resistant, etc.), and eliminates it:

    _ AVP32.EXE
    _ AVPCC.EXE
    _ AVPM.EXE
    ACKWIN32.EXE
    Anti-trojan.exe
    APVXDWIN.EXE
    AUTODOWN.EXE
    AVCONSOL.EXE
    AVE32.EXE
    AVGCTRL.EXE
    AVKSERV.EXE
    AVP.EXE
    AVP32.EXE
    AVPCC.EXE
    AVPDOS32.EXE
    AVPM.EXE
    AVPMON.EXE
    AVPNT.EXE
    AVPTC32.EXE
    AVPUPD.EXE
    AVSCHED32.EXE
    AVWIN95.EXE
    AVWUPD32.EXE
    BLACKD.EXE
    BLACKICE.EXE
    CFIADMIN.EXE
    CFIAUDIT.EXE
    CFIND.EXE
    CLAW95.EXE
    CLAW95CT.EXE
    CLEANER.EXE
    CLEANER3.EXE
    DV95.EXE
    DV95_O.EXE
    DVP95.EXE
    ECENGINE.EXE
    EFINET32.EXE
    ESAFE.EXE
    ESPWATCH.EXE
    F-agnt95.exe
    FINDVIRU.EXE
    F-prot.exe
    FPROT.EXE
    F-prot95.exe
    Fp-win.exe
    FRW.EXE
    F-stopw.exe
    IAMAPP.EXE
    IAMSERV.EXE
    IBMASN.EXE
    IBMAVSP.EXE
    ICLOAD95.EXE
    ICLOADNT.EXE
    ICMOON.EXE
    ICSSUPPNT.EXE
    ICSUPP95.EXE
    IFACE.EXE
    IOMON98.EXE
    JED.EXE
    KPF.EXE
    KPFW32.EXE
    LOCKDOWN2000.EXE
    LOOKOUT.EXE
    LUALL.EXE
    MOOLIVE.EXE
    MPFTRAY.EXE
    N32SCAN.EXE
    NAVAPW32.EXE
    NAVLU32.EXE
    NAVNT.EXE
    NAVSCHED.EXE
    NAVW.EXE
    NAVW32.EXE
    NAVWNT.EXE
    NISUM.EXE
    NMAIN.EXE
    NORMIST.EXE
    NUPGRADE.EXE
    NVC95.EXE
    OUTPOST.EXE
    PADMIN.EXE
    PAVCL.EXE
    PCCWIN98.EXE
    PCFWALLICON.EXE
    PERSFW.EXE
    RAV7.EXE
    RAV7WIN.EXE
    RESCUE.EXE
    SAFEWEB.EXE
    SCAN32.EXE
    SCAN95.EXE
    SCANPM.EXE
    SCRSCAN.EXE
    SERV95.EXE
    SMC.EXE
    SPHINX.EXE
    SWEEP95.EXE
    TBSCAN.EXE
    TCA.EXE
    Tds2-98.exe
    Tds2-nt.exe
    VET95.EXE
    VETTRAY.EXE
    VSECOMR.EXE
    VSHWIN32.EXE
    VSSCAN40.EXE
    VSSTAT.EXE
    WEBSCAN.EXE
    WEBSCANX.EXE
    WFINDV32.EXE
    ZONEALARM.EXE

    Also it will try to finish any application in memory whose window contains some of the names of the following list:

    anti
    Anti
    AVP
    McAfee
    Norton
    virus
    Virus

    The same worm copy to if in the folders \Windows\System32 and \Windows\System, with names of 11 at random selected characters. For example:

    C:\Windows\System\A3áAAAgbab.EXE
    C:\Windows\System32\cëdc5åEff.EXE

    Also it is added to the registry, to autoejecutar itself from some of those archives, whenever Windows is reinitiated:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    "Avril Lavigne - MUSE" = "C:\Windows\System\cëdc5åEff.EXE"

    Copies of the worm in the folder of temporary archives with previous names are created such. For example:

    C:\Windows\TEMP\A3áAAAgbab.EXE
    C:\Windows\TEMP\cëdc5åEff.EXE

    Also it creates a file with the same name of one of the associates received with the message, and another one with the same name but extension TFT, for example:

    C:\Windows\TEMP\AvrilLavigne.exe
    C:\Windows\TEMP\AvrilLavigne.TFT

    Soon it creates four copies of if same, with names at random, within the directory of the recycling wastebasket, and it adds a line aiming at one of them in file AUTOEXEC.BAT, for example:

    @win \RECYCLED\FF177Fe6.exe

    Also avril-ii.inf "in the directory is created a called file" \Windows\TEMP, that single contains a message of the author of the worm.

    Also copy in the folder of shared files of the KaZaa with some of the names used in the associates to the messages. The presence of the KaZaa and the location of its shared folder, obtain it from the following entrance:

    HKEY_CURRENT_USER\Software\KaZaA\Transfer\DlDir0

    The virus looks for in addition the presence to bookstore ICQMAPI.DLL to determine the location of program ICQ and its archives, examining the following branch of the registry:

    HKEY_LOCAL_MACHINE\Microsoft\Windows\CurrentVersion \
    App Paths\ICQ.EXE\Path

    It uses functions API of the ICQ to be sent to if same to all the list of contacts.

    It creates in addition a file SCRIPT.INI in the folder to the client of IRC, mIRC, with the instructions to propagate to all the users who participate in the same channel of chat. When the connection takes place, the worm forces the victim to connect to the channel "# avrillavigne".

    If the installed version of Windows is NT, 2000 or XP, the worm are registered to if same like a service (available for all the users).

    The worm also examines if the computer is connected to a network. If it is not it, it will try to connect to Internet using the telephone access to networks (DUN), and the conectoide by defect.

    In order to prevent the infection, the own worm must implemented "mutex", the presence of the following key in the registry:

    HKEY_LOCAL_MACHINE\Software\OvG
    "Avril Lavigne" = "AVRIL_LAVIGNE_LET_GO"

    If you create key happiness, can come up to become infected. Of course, it does not have to be taken on approval like a protection from everything, but aid if is complemented it with the policy of always, antivirus to the day, not to open associates nonasked for, etc.

    The worm has a routine of robbery of passwords, which obtain from the cache of passwords of Windows, and soon it sends to the direction of the supposed author: "otto_psws@smtp.ru".

    If the worm executes day 7, 11 or 24 of any month, a routine that opens a window of the used navigator, with the following direction activates (official page of the singer Avril Lavigne):

    http://www.avril-lavigne.com

    Soon, text "AVRIL_LAVIGNE_LET_GO - MY_MUSE:) 2002 (c) Otto von Gutenberg "is unfolded in continuous form in the screen of the monitor, next to a graphical effect of geometric figures of diverse colors that cover all the screen. This will force most of the times to extinguish the hot computer in retaking the control, with the consequent risk of losing the information nonstored still in the disc.

    The worm uses in some cases label IFRAME to operate the fault that allows that the associate executes itself by the single act to read or to visualize the message (ms01-020 Iframe exploit).

    In other occasions, the text of the message is pure HTML without label IFRAME (the infection happens single when opening the associate with a double click).


    Deshabilitar the shared folders of KaZaa

    It is recommended to deshabilitar the folders shared of this program, until to have cleared the worm of the system, to prevent his propagation.

    For it, asi comes ':

    1. Execute KaZaa.

    2. Select in the bar of the menu the option: "Tools" > "Options".

    3. Deshabilite the folders shared (Shared Kazaa folders) under the tongue-piece "Traffic".

    4. Pinche en "Aceptar", etc.
     
  3. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Thanks John.

    btw: Win32/Lirva.B, Win32/Lirva.C are covered in the latest database update from NOD32 :cool:.

    regards.

    paul
     
Thread Status:
Not open for further replies.