McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Lirva.B@mm (Symantec)

• I-Worm.Avron (AVP)

• Naith

• W32.Lirva.A@mm (Symantec)

• W32/Avril-A (Sophos)

• W32/Avril.gen@MM

• W32/Lirva.eml

• W32/Lirva@MM

• Worm/Naith.A (CA)

• WORM_LIRVA.A (Trend)

Characteristics

-- Update January 14, 2003 --
This threat was downgraded to a Low-Profiled risk due to a decrease in prevalence.

-- Update January 9, 2003 --
There are at least 2 new variants of this threat in existence. So far all such known variants are detected generically as W32/Lirva.gen@MM using 4241 DATs.

-- Update January 8, 2003 --
This threat has been upgraded to Medium due to an increase in prevalence over the past 24 hours.

This threat was classified Low-Profiled due to media attention at:
http://zdnet.com.com/2100%2D1105%2D979475.html.

This is a mass-mailing worm that also attempts to spread via ICQ, IRC, and KaZaa. It contains a Password-Stealer as payload.

It tries to terminate security software, can spread via ICQ, and drops an IRC bot script.

Email spreading:

The worm uses Outlook to search in the "Sent Items" and the "Inbox" for email addresses. It also queries the Windows Address book (WAB) and search for addresses within files on the local disk with the following file extensions:

• .DBX
• .EML
• .HTM
• .HTML
• .IDX
• .MBX
• .NCH
• .SHTML
• .TBB
• .WAB

The subject of the email is randomly selected from one of these strings:

• Fw: Avril Lavigne - the best
• Fw: Prohibited customers...
• Fwd: Re: Admission procedure
• Fwd: Re: Reply on account for Incorrect MIME-header
• Re: According to Daos Summit
• Re: ACTR/ACCELS Transcriptions
• Re: Brigade Ocho Free membership
• Re: Reply on account for IFRAME-Security breach
• Re: Reply on account for IIS-Security
• Re: Reply on account for IIS-Security Breach (TFTP)
• Re: The real estate plunger

The attachment uses one of the following names:

• AvrilLavigne.exe
• AvrilSmiles.exe
• CERT-Vuln-Info.exe
• Cogito_Ergo_Sum.exe
• Complicated.exe
• Download.exe
• IAmWiThYoU.exe
• MSO-Patch-0035.exe
• MSO-Patch-0071.exe
• Readme.exe
• Resume.exe
• Singles.exe
• Sk8erBoi.exe
• Sophos.exe
• Transcripts.exe
• Two-Up-Secretly.exe
• Phantom.exe

Body of the message:

Restricted area response team (RART)
___________________________________
Attachment you send to is intended to overwrite start address at 0000:HH4F
To prevent from the further buffer overflow attacks apply the MSO-patch.
___________________________________

or

Patch is also provided to subscribed list of Microsoft Tech Support: to apply the patch immediately. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so and do not need to take additional action. Customers who have applied that patch are already protected against the vulnerability that is eliminated by a previously-released patch. Microsoft has identified a security vulnerability in Microsoft IIS 4.0 and 5.0.

or

Admission form attached below. Vote for I'm with you! FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony Avril fans subscription


NOTE: The last described variant includes a IFRAME exploit which causes the attachment to be executed without user interaction on unpatched systems.
These messages are detected as "Exploit-MIME.gen" since 4172 DATs (Nov 2001)
Further details about this Exploit are available at: http://vil.nai.com/vil/content/v_99273.htm

Example:


ICQ spreading:

The worm tries to send itself to all contacts found in the ICQ userlist. The file name is one of the names that are also used as an mail attachment. (see above)

mIRC spreading:

The worm tries to send itself to IRC users who join the same channel as the infected mIRC user. After the IRC client connects to the network, it automatically joins the channel #avrillavigne.

Termination of security software:

It attempts to terminate processes in memory with the following process names:

• _AVP32.EXE
• _AVPCC.EXE
• _AVPM.EXE
• ACKWIN32.EXE
• ANTI-TROJAN.EXE
• APVXDWIN.EXE
• AUTODOWN.EXE
• AVCONSOL.EXE
• AVE32.EXE
• AVGCTRL.EXE
• AVKSERV.EXE
• AVP.EXE
• AVP32.EXE
• AVPCC.EXE
• AVPDOS32.EXE
• AVPM.EXE
• AVPMON.EXE
• AVPNT.EXE
• AVPTC32.EXE
• AVPUPD.EXE
• AVSCHED32.EXE
• AVWIN95.EXE
• AVWUPD32.EXE
• BLACKD.EXE
• BLACKICE.EXE
• CFIADMIN.EXE
• CFIAUDIT.EXE
• CFIND.EXE
• CLAW95.EXE
• CLAW95CT.EXE
• CLEANER.EXE
• CLEANER3.EXE
• DV95.EXE
• DV95_O.EXE
• DVP95.EXE
• ECENGINE.EXE
• EFINET32.EXE
• ESAFE.EXE
• ESPWATCH.EXE
• F-AGNT95.EXE
• FINDVIRU.EXE
• FPROT.EXE
• F-PROT.EXE
• F-PROT95.EXE
• FP-WIN.EXE
• FRW.EXE
• F-STOPW.EXE
• IAMAPP.EXE
• IAMSERV.EXE
• IBMASN.EXE
• IBMAVSP.EXE
• ICLOAD95.EXE
• ICLOADNT.EXE
• ICMOON.EXE
• ICSSUPPNT.EXE
• ICSUPP95.EXE
• IFACE.EXE
• IOMON98.EXE
• JED.EXE
• KPF.EXE
• KPFW32.EXE
• LOCKDOWN2000.EXE
• LOOKOUT.EXE
• LUALL.EXE
• MOOLIVE.EXE
• MPFTRAY.EXE
• N32SCAN.EXE
• NAVAPW32.EXE
• NAVLU32.EXE
• NAVNT.EXE
• NAVSCHED.EXE
• NAVW.EXE
• NAVW32.EXE
• NAVWNT.EXE
• NISUM.EXE
• NMAIN.EXE
• NORMIST.EXE
• NUPGRADE.EXE
• NVC95.EXE
• OUTPOST.EXE
• PADMIN.EXE
• PAVCL.EXE
• PCCWIN98.EXE
• PCFWALLICON.EXE
• PERSFW.EXE
• RAV7.EXE
• RAV7WIN.EXE
• RESCUE.EXE
• SAFEWEB.EXE
• SCAN32.EXE
• SCAN95.EXE
• SCANPM.EXE
• SCRSCAN.EXE
• SERV95.EXE
• SMC.EXE
• SPHINX.EXE
• SWEEP95.EXE
• TBSCAN.EXE
• TCA.EXE
• TDS2-98.EXE
• TDS2-NT.EXE
• VET95.EXE
• VETTRAY.EXE
• VSECOMR.EXE
• VSHWIN32.EXE
• VSSCAN40.EXE
• VSSTAT.EXE
• WEBSCAN.EXE
• WEBSCANX.EXE
• WFINDV32.EXE
• ZONEALARM.EXE

The worm monitors the title bar of all windows and closes them if they contain one of the following strings:

• anti
• Anti
• AVP
• McAfee
• Norton
• virus
• Virus

Changes made to the system:

The worm copies itself into %WINDIR%\SYSTEM32 using a randomly generated name. (Example: A33AAAAgbab.EXE)

A key is added to the Registry in order to execute the worm during systemboot:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "Avril Lavigne - Muse" = C:\WINDOWS\SYSTEM\A33AAAAgbab.EXE

Another key is created and used as a marker that the system is infected:

• HKEY_LOCAL_MACHINE\Software\OvG\Avril Lavigne

It also copy itself using one of the filenames mentions in email propagation above to:
C:\
%WINDIR%\TEMP

The worm places also four copies of itself using random names into the RECYCLED folder and adds a call to the AUTOEXEC.BAT
Example: @win \RECYCLED\FF177Fe6.exe

A file called "avril-ii.inf" is dropped into %WINDIR%\TEMP as well, it is a none-executable textfile and contains a message from the author.


Payload:

The worm tries to receive the cached passwords from the infected host and send an email by using its own SMTP engine via an open SMTP server (62.118.249.10) to the author.

Symptoms

After the worm has executed, it checks the date and opens the default browser on the 7th, 11th and 24th of each month to displays the webpage of Avril Lavigne (http://www.avril-lavigne.com). At the left top of the desktop a text displayed saying:

AVRIL_LAVIGNE_LET_GO-MY_MUSE:) 2002 (c) [name of the author]



The worm draws colored geometric figures on the screen which are always "on top" of the desktop.

Further symptoms:

• Presence of Registry keys mentioned above.
• Presence of files mentioned above.
• Email propagation
• IRC propagation
• ICQ propagation
• Network traffic to the SMTP server (62.118.249.10 Port 25 TCP)

Method of Infection

The worm arrives via email, is sent to IRC or ICQ users, and may propagate via KaZaa. The default SMTP server is retrieved from the registry via the Internet Account Manager or the OMI Account Manager settings. That SMTP server is then used by the virus during its mass-mailing routine.

Removal

Detection is included in the 4241 DAT files. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Once infected, VirusScan may not be able to run as the virus can terminate the process before any scanning/removal is accomplished.

This can make the removal of the virus more difficult for users. As such, AVERT has released a removal tool to assist infected users with this virus.

Alternatively, the following steps will circumvent the virus and allow for proper VirusScan scanning/removal, by using the command-line scanner.

1. Ensure that you are using the minimum DAT (specified above) or higher
2. Close all running applications
3. Disconnect the system from the network
4. Click START | RUN, type command and hit ENTER
5. Change to the VirusScan engine directory:
   • Win9x/ME - Type cd \progra~1\common~1\networ~1\viruss~1\40~1.xx and hit ENTER
   WinNT/2K/XP - Type cd \progra~1\common~1\networ~1\viruss~1\4.0.xx and hit ENTER
6. Type scan.exe /adl /clean and hit ENTER
7. After scanning and removal is complete, reboot the system and reconnect to the network

Additional Windows ME/XP removal considerations

Variants

Variants

• W32/Lirva.dam

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Lirva.B@mm (Symantec)

• I-Worm.Avron (AVP)

• Naith

• W32.Lirva.A@mm (Symantec)

• W32/Avril-A (Sophos)

• W32/Avril.gen@MM

• W32/Lirva.eml

• W32/Lirva@MM

• Worm/Naith.A (CA)

• WORM_LIRVA.A (Trend)

Characteristics

Characteristics -

-- Update January 14, 2003 --
This threat was downgraded to a Low-Profiled risk due to a decrease in prevalence.

-- Update January 9, 2003 --
There are at least 2 new variants of this threat in existence. So far all such known variants are detected generically as W32/Lirva.gen@MM using 4241 DATs.

-- Update January 8, 2003 --
This threat has been upgraded to Medium due to an increase in prevalence over the past 24 hours.

This threat was classified Low-Profiled due to media attention at:
http://zdnet.com.com/2100%2D1105%2D979475.html.

This is a mass-mailing worm that also attempts to spread via ICQ, IRC, and KaZaa. It contains a Password-Stealer as payload.

It tries to terminate security software, can spread via ICQ, and drops an IRC bot script.

Email spreading:

The worm uses Outlook to search in the "Sent Items" and the "Inbox" for email addresses. It also queries the Windows Address book (WAB) and search for addresses within files on the local disk with the following file extensions:

• .DBX
• .EML
• .HTM
• .HTML
• .IDX
• .MBX
• .NCH
• .SHTML
• .TBB
• .WAB

The subject of the email is randomly selected from one of these strings:

• Fw: Avril Lavigne - the best
• Fw: Prohibited customers...
• Fwd: Re: Admission procedure
• Fwd: Re: Reply on account for Incorrect MIME-header
• Re: According to Daos Summit
• Re: ACTR/ACCELS Transcriptions
• Re: Brigade Ocho Free membership
• Re: Reply on account for IFRAME-Security breach
• Re: Reply on account for IIS-Security
• Re: Reply on account for IIS-Security Breach (TFTP)
• Re: The real estate plunger

The attachment uses one of the following names:

• AvrilLavigne.exe
• AvrilSmiles.exe
• CERT-Vuln-Info.exe
• Cogito_Ergo_Sum.exe
• Complicated.exe
• Download.exe
• IAmWiThYoU.exe
• MSO-Patch-0035.exe
• MSO-Patch-0071.exe
• Readme.exe
• Resume.exe
• Singles.exe
• Sk8erBoi.exe
• Sophos.exe
• Transcripts.exe
• Two-Up-Secretly.exe
• Phantom.exe

Body of the message:

Restricted area response team (RART)
___________________________________
Attachment you send to is intended to overwrite start address at 0000:HH4F
To prevent from the further buffer overflow attacks apply the MSO-patch.
___________________________________

or

Patch is also provided to subscribed list of Microsoft Tech Support: to apply the patch immediately. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so and do not need to take additional action. Customers who have applied that patch are already protected against the vulnerability that is eliminated by a previously-released patch. Microsoft has identified a security vulnerability in Microsoft IIS 4.0 and 5.0.

or

Admission form attached below. Vote for I'm with you! FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony Avril fans subscription


NOTE: The last described variant includes a IFRAME exploit which causes the attachment to be executed without user interaction on unpatched systems.
These messages are detected as "Exploit-MIME.gen" since 4172 DATs (Nov 2001)
Further details about this Exploit are available at: http://vil.nai.com/vil/content/v_99273.htm

Example:


ICQ spreading:

The worm tries to send itself to all contacts found in the ICQ userlist. The file name is one of the names that are also used as an mail attachment. (see above)

mIRC spreading:

The worm tries to send itself to IRC users who join the same channel as the infected mIRC user. After the IRC client connects to the network, it automatically joins the channel #avrillavigne.

Termination of security software:

It attempts to terminate processes in memory with the following process names:

• _AVP32.EXE
• _AVPCC.EXE
• _AVPM.EXE
• ACKWIN32.EXE
• ANTI-TROJAN.EXE
• APVXDWIN.EXE
• AUTODOWN.EXE
• AVCONSOL.EXE
• AVE32.EXE
• AVGCTRL.EXE
• AVKSERV.EXE
• AVP.EXE
• AVP32.EXE
• AVPCC.EXE
• AVPDOS32.EXE
• AVPM.EXE
• AVPMON.EXE
• AVPNT.EXE
• AVPTC32.EXE
• AVPUPD.EXE
• AVSCHED32.EXE
• AVWIN95.EXE
• AVWUPD32.EXE
• BLACKD.EXE
• BLACKICE.EXE
• CFIADMIN.EXE
• CFIAUDIT.EXE
• CFIND.EXE
• CLAW95.EXE
• CLAW95CT.EXE
• CLEANER.EXE
• CLEANER3.EXE
• DV95.EXE
• DV95_O.EXE
• DVP95.EXE
• ECENGINE.EXE
• EFINET32.EXE
• ESAFE.EXE
• ESPWATCH.EXE
• F-AGNT95.EXE
• FINDVIRU.EXE
• FPROT.EXE
• F-PROT.EXE
• F-PROT95.EXE
• FP-WIN.EXE
• FRW.EXE
• F-STOPW.EXE
• IAMAPP.EXE
• IAMSERV.EXE
• IBMASN.EXE
• IBMAVSP.EXE
• ICLOAD95.EXE
• ICLOADNT.EXE
• ICMOON.EXE
• ICSSUPPNT.EXE
• ICSUPP95.EXE
• IFACE.EXE
• IOMON98.EXE
• JED.EXE
• KPF.EXE
• KPFW32.EXE
• LOCKDOWN2000.EXE
• LOOKOUT.EXE
• LUALL.EXE
• MOOLIVE.EXE
• MPFTRAY.EXE
• N32SCAN.EXE
• NAVAPW32.EXE
• NAVLU32.EXE
• NAVNT.EXE
• NAVSCHED.EXE
• NAVW.EXE
• NAVW32.EXE
• NAVWNT.EXE
• NISUM.EXE
• NMAIN.EXE
• NORMIST.EXE
• NUPGRADE.EXE
• NVC95.EXE
• OUTPOST.EXE
• PADMIN.EXE
• PAVCL.EXE
• PCCWIN98.EXE
• PCFWALLICON.EXE
• PERSFW.EXE
• RAV7.EXE
• RAV7WIN.EXE
• RESCUE.EXE
• SAFEWEB.EXE
• SCAN32.EXE
• SCAN95.EXE
• SCANPM.EXE
• SCRSCAN.EXE
• SERV95.EXE
• SMC.EXE
• SPHINX.EXE
• SWEEP95.EXE
• TBSCAN.EXE
• TCA.EXE
• TDS2-98.EXE
• TDS2-NT.EXE
• VET95.EXE
• VETTRAY.EXE
• VSECOMR.EXE
• VSHWIN32.EXE
• VSSCAN40.EXE
• VSSTAT.EXE
• WEBSCAN.EXE
• WEBSCANX.EXE
• WFINDV32.EXE
• ZONEALARM.EXE

The worm monitors the title bar of all windows and closes them if they contain one of the following strings:

• anti
• Anti
• AVP
• McAfee
• Norton
• virus
• Virus

Changes made to the system:

The worm copies itself into %WINDIR%\SYSTEM32 using a randomly generated name. (Example: A33AAAAgbab.EXE)

A key is added to the Registry in order to execute the worm during systemboot:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "Avril Lavigne - Muse" = C:\WINDOWS\SYSTEM\A33AAAAgbab.EXE

Another key is created and used as a marker that the system is infected:

• HKEY_LOCAL_MACHINE\Software\OvG\Avril Lavigne

It also copy itself using one of the filenames mentions in email propagation above to:
C:\
%WINDIR%\TEMP

The worm places also four copies of itself using random names into the RECYCLED folder and adds a call to the AUTOEXEC.BAT
Example: @win \RECYCLED\FF177Fe6.exe

A file called "avril-ii.inf" is dropped into %WINDIR%\TEMP as well, it is a none-executable textfile and contains a message from the author.


Payload:

The worm tries to receive the cached passwords from the infected host and send an email by using its own SMTP engine via an open SMTP server (62.118.249.10) to the author.

Symptoms

Symptoms -

After the worm has executed, it checks the date and opens the default browser on the 7th, 11th and 24th of each month to displays the webpage of Avril Lavigne (http://www.avril-lavigne.com). At the left top of the desktop a text displayed saying:

AVRIL_LAVIGNE_LET_GO-MY_MUSE:) 2002 (c) [name of the author]



The worm draws colored geometric figures on the screen which are always "on top" of the desktop.

Further symptoms:

• Presence of Registry keys mentioned above.
• Presence of files mentioned above.
• Email propagation
• IRC propagation
• ICQ propagation
• Network traffic to the SMTP server (62.118.249.10 Port 25 TCP)

Method of Infection

Method of Infection -

The worm arrives via email, is sent to IRC or ICQ users, and may propagate via KaZaa. The default SMTP server is retrieved from the registry via the Internet Account Manager or the OMI Account Manager settings. That SMTP server is then used by the virus during its mass-mailing routine.

Removal -

Removal -

Detection is included in the 4241 DAT files. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Once infected, VirusScan may not be able to run as the virus can terminate the process before any scanning/removal is accomplished.

This can make the removal of the virus more difficult for users. As such, AVERT has released a removal tool to assist infected users with this virus.

Alternatively, the following steps will circumvent the virus and allow for proper VirusScan scanning/removal, by using the command-line scanner.

1. Ensure that you are using the minimum DAT (specified above) or higher
2. Close all running applications
3. Disconnect the system from the network
4. Click START | RUN, type command and hit ENTER
5. Change to the VirusScan engine directory:
   • Win9x/ME - Type cd \progra~1\common~1\networ~1\viruss~1\40~1.xx and hit ENTER
   WinNT/2K/XP - Type cd \progra~1\common~1\networ~1\viruss~1\4.0.xx and hit ENTER
6. Type scan.exe /adl /clean and hit ENTER
7. After scanning and removal is complete, reboot the system and reconnect to the network

Additional Windows ME/XP removal considerations

Variants

Variants -

• W32/Lirva.dam