Content

W32/Lirva.c@MM

Type
Virus
SubType
E-mail
Discovery Date
01/08/2003
Length
34815 (164864 unpacked)
Minimum DAT
4241 (01/08/2003)
Updated DAT
4243 (01/15/2003)
Minimum Engine
5.1.00
Description Added
01/10/2003
Description Modified
01/15/2003 4:40 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-- Update January 14, 2003 --
This threat was downgraded to a Low risk due to a decrease in prevalence.

This is one of several new variants of W32/Lirva.a@MM. Generic detection of all known variants was included in the 4241 DATs as W32/Lirva.gen@MM. The compressed file scanning option must be enabled for protection of these variants. The 4242 DATs detect this as W32/Lirva.c@MM.

This mass-mailing worm attempts to spread via ICQ, IRC, and KaZaa. It contains a Password-Stealer as payload and tries to download a backdoor trojan from a website. At the moment of this writing, the files have been removed from this server.

It tries to terminate security software, can spread via ICQ, and drops an IRC bot script.

Email spreading:

The worm uses Outlook to search in the "Sent Items" and the "Inbox" for email addresses. It also queries the Windows Address book (WAB) and search for addresses within files on the local disk with the following file extensions:

  • .DBX
  • .EML
  • .HTM
  • .HTML
  • .IDX
  • .MBX
  • .NCH
  • .SHTML
  • .TBB
  • .WAB
The subject of the email is randomly selected from one of these strings:
  • Fw: Avril Lavigne - CHART ATTACK!
  • Fw: F. M. Dostoyevsky "Crime and Punishment"
  • Fw: Redirection error notification
  • Fwd: Re: Have U requested Avril Lavigne bio?
  • Fwd: Re: Reply on account for Incorrect MIME-header
  • Fwd: RFC-0245 Specification requested...
  • Fwd: RFC-0841 Specification requested...
  • Re: According to Purge's Statement
  • Re: ACTR/ACCELS Transcriptions
  • Re: Brigada Ocho Free membership
  • Re: Ha perduto qualque cosa signora?
  • Re: IREX admits you to take in FSAU 2003
  • Re: Junior Achievement
  • Re: Reply on account for IFRAME-Security breach
  • Re: Reply on account for IIS-Security Breach (TFTP)
  • Re: Vote seniors masters - don't miss it!
The attachment uses one of the following names:
  • ADialer.exe
  • ALavigne.exe
  • AvrilLavigne.exe
  • AvrilSmiles.exe
  • BioData.exe
  • CERT-Vuln-Info.exe
  • Cogito_Ergo_Sum.exe
  • Complicated.exe
  • EntradoDePer.exe
  • IAmWiThYoU.exe
  • MSO-Patch-0035.exe
  • MSO-Patch-0071.exe
  • Phantom.exe
  • Readme.exe
  • Resume.exe
  • SiamoDiTe.exe
  • Sk8erBoi.exe
  • Sophos.exe
  • Transcripts.exe
  • TrickerTape.exe
  • Two-Up-Secretly.exe
NOTE: The worm is able to spoof the FROM: address.

Body of the message:

Restricted area response team (RART)
___________________________________
Attachment you send to is intended to overwrite start address at 0000:HH4F
To prevent from the further buffer overflow attacks apply the MSO-patch.
___________________________________

or

Network Associates weekly report: Microsoft has identified a security vulnerability in MicrosoftIIS 4.0 and 5.0 that is eliminated by a previously-released patch. Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so to apply the patch immediately. Patch is also provided to subscribed list of Microsoft Tech Support:

or

AVRIL LAVIGNE - THE CHART ATTACK!
Vote fo4r Complicated!
Vote fo4r Sk8er Boi!
Vote fo4r I'm with you!
Chart attack active list:

or

AVRIL LAVIGNE - THE BEST Avril Lavigne's popularity increases:
SO: First, Vote on TRL for I'm With U!
Next, Update your pics database!
Chart attack active list.
Orginal Message:

NOTE: The email body may contain a IFRAME exploit which causes the attachment to be executed without user interaction on unpatched systems.
These messages are detected as "Exploit-MIME.gen" since 4172 DATs (Nov 2001)
Further details about this Exploit are available at: http://vil.nai.com/vil/content/v_99273.htm


ICQ spreading:

The worm tries to send itself to all contacts found in the ICQ userlist. The file name is one of the names that is used as an email attachment. (see above)

mIRC spreading:

The worm tries to send itself to IRC users who join the same channel as the infected mIRC user. After the IRC client connects to the network, it automatically joins the channel #avrillavigne.

Termination of security software:

It attempts to terminate processes in memory with the following process names:
  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • ACKWIN32.EXE
  • ANTI-TROJAN.EXE
  • APVXDWIN.EXE
  • AUTODOWN.EXE
  • AVCONSOL.EXE
  • AVE32.EXE
  • AVGCTRL.EXE
  • AVKSERV.EXE
  • AVP.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPDOS32.EXE
  • AVPM.EXE
  • AVPMON.EXE
  • AVPNT.EXE
  • AVPTC32.EXE
  • AVPUPD.EXE
  • AVSCHED32.EXE
  • AVWIN95.EXE
  • AVWUPD32.EXE
  • BLACKD.EXE
  • BLACKICE.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFIND.EXE
  • CLAW95.EXE
  • CLAW95CT.EXE
  • CLEANER.EXE
  • CLEANER3.EXE
  • DV95.EXE
  • DV95_O.EXE
  • DVP95.EXE
  • ECENGINE.EXE
  • EFINET32.EXE
  • ESAFE.EXE
  • ESPWATCH.EXE
  • F-AGNT95.EXE
  • FINDVIRU.EXE
  • FPROT.EXE
  • F-PROT.EXE
  • F-PROT95.EXE
  • FP-WIN.EXE
  • FRW.EXE
  • F-STOPW.EXE
  • IAMAPP.EXE
  • IAMSERV.EXE
  • IBMASN.EXE
  • IBMAVSP.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMOON.EXE
  • ICSSUPPNT.EXE
  • ICSUPP95.EXE
  • IFACE.EXE
  • IOMON98.EXE
  • JED.EXE
  • KPF.EXE
  • KPFW32.EXE
  • LOCKDOWN2000.EXE
  • LOOKOUT.EXE
  • LUALL.EXE
  • MOOLIVE.EXE
  • MPFTRAY.EXE
  • N32SCAN.EXE
  • NAVAPW32.EXE
  • NAVLU32.EXE
  • NAVNT.EXE
  • NAVSCHED.EXE
  • NAVW.EXE
  • NAVW32.EXE
  • NAVWNT.EXE
  • NISUM.EXE
  • NMAIN.EXE
  • NORMIST.EXE
  • NUPGRADE.EXE
  • NVC95.EXE
  • OUTPOST.EXE
  • PADMIN.EXE
  • PAVCL.EXE
  • PCCWIN98.EXE
  • PCFWALLICON.EXE
  • PERSFW.EXE
  • RAV7.EXE
  • RAV7WIN.EXE
  • RESCUE.EXE
  • SAFEWEB.EXE
  • SCAN32.EXE
  • SCAN95.EXE
  • SCANPM.EXE
  • SCRSCAN.EXE
  • SERV95.EXE
  • SMC.EXE
  • SPHINX.EXE
  • SWEEP95.EXE
  • TBSCAN.EXE
  • TCA.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • VET95.EXE
  • VETTRAY.EXE
  • VSECOMR.EXE
  • VSHWIN32.EXE
  • VSSCAN40.EXE
  • VSSTAT.EXE
  • WEBSCAN.EXE
  • WEBSCANX.EXE
  • WFINDV32.EXE
  • ZONEALARM.EXE

The worm monitors the title bar of all windows and closes them if they contain one of the following strings:

  • anti
  • Anti
  • AVP
  • McAfee
  • Norton
  • virus
  • Virus

Changes made to the system:

The worm copies itself into %WINDIR%\SYSTEM32 using a randomly generated name. (Example: A33AAAAgbab.EXE)

A key is added to the Registry in order to execute the worm during systemboot:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "Avril Lavigne - Muse" = C:\WINDOWS\SYSTEM\A33AAAAgbab.EXE
Another key is created and used as a marker that the system is infected:
  • HKEY_LOCAL_MACHINE\Software\OvG\Avril Lavigne
It also copy itself using one of the filenames mentions in email propagation above to:
C:\
%WINDIR%\TEMP

The worm places also four copies of itself using random names into the RECYCLED folder and adds a call to the AUTOEXEC.BAT
Example: @win \RECYCLED\FF177Fe6.exe

A file called "avril-ii.inf" is dropped into %WINDIR%\TEMP as well, it is a none-executable textfile and contains a message from the author.
Another file called "download.sys" is written to the same folder and used to download the backdoor trojan.


Payload:

The worm tries to receive the cached passwords from the infected host and send an email by using its own SMTP engine via an open SMTP server (62.118.249.10) to the author.
The backdoor trojan was removed from the webserver at the moment of this writing.

Symptoms

After the worm has been executed, it checks the date and opens the default browser on the 7th, 11th and 24th of each month to display the webpage of Avril Lavigne (http://www.avril-lavigne.com). At the left top of the desktop a text displayed saying:

AVRIL_LAVIGNE_LET_GO-MY_MUSE:) 2002 (c) [name of the author]



The worm draws colored geometric figures on the screen which are always "on top" of the desktop.

Further symptoms:

  • Presence of Registry keys mentioned above.
  • Presence of files mentioned above.
  • Email propagation
  • IRC propagation
  • ICQ propagation
  • Network traffic to the SMTP server (62.118.249.10 Port 25 TCP)

Method of Infection

The worm arrives via email, is sent to IRC or ICQ users, and may propagate via KaZaa. The default SMTP server is retrieved from the registry via the Internet Account Manager or the OMI Account Manager settings. That SMTP server is then used by the virus during its mass-mailing routine.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • I-Worm.Avron.b (AVP)
  • W32.Lirva.C@mm (Symantec)
  • WORM_LIRVA.C (Trend)

Characteristics

Characteristics -

-- Update January 14, 2003 --
This threat was downgraded to a Low risk due to a decrease in prevalence.

This is one of several new variants of W32/Lirva.a@MM. Generic detection of all known variants was included in the 4241 DATs as W32/Lirva.gen@MM. The compressed file scanning option must be enabled for protection of these variants. The 4242 DATs detect this as W32/Lirva.c@MM.

This mass-mailing worm attempts to spread via ICQ, IRC, and KaZaa. It contains a Password-Stealer as payload and tries to download a backdoor trojan from a website. At the moment of this writing, the files have been removed from this server.

It tries to terminate security software, can spread via ICQ, and drops an IRC bot script.

Email spreading:

The worm uses Outlook to search in the "Sent Items" and the "Inbox" for email addresses. It also queries the Windows Address book (WAB) and search for addresses within files on the local disk with the following file extensions:

  • .DBX
  • .EML
  • .HTM
  • .HTML
  • .IDX
  • .MBX
  • .NCH
  • .SHTML
  • .TBB
  • .WAB
The subject of the email is randomly selected from one of these strings:
  • Fw: Avril Lavigne - CHART ATTACK!
  • Fw: F. M. Dostoyevsky "Crime and Punishment"
  • Fw: Redirection error notification
  • Fwd: Re: Have U requested Avril Lavigne bio?
  • Fwd: Re: Reply on account for Incorrect MIME-header
  • Fwd: RFC-0245 Specification requested...
  • Fwd: RFC-0841 Specification requested...
  • Re: According to Purge's Statement
  • Re: ACTR/ACCELS Transcriptions
  • Re: Brigada Ocho Free membership
  • Re: Ha perduto qualque cosa signora?
  • Re: IREX admits you to take in FSAU 2003
  • Re: Junior Achievement
  • Re: Reply on account for IFRAME-Security breach
  • Re: Reply on account for IIS-Security Breach (TFTP)
  • Re: Vote seniors masters - don't miss it!
The attachment uses one of the following names:
  • ADialer.exe
  • ALavigne.exe
  • AvrilLavigne.exe
  • AvrilSmiles.exe
  • BioData.exe
  • CERT-Vuln-Info.exe
  • Cogito_Ergo_Sum.exe
  • Complicated.exe
  • EntradoDePer.exe
  • IAmWiThYoU.exe
  • MSO-Patch-0035.exe
  • MSO-Patch-0071.exe
  • Phantom.exe
  • Readme.exe
  • Resume.exe
  • SiamoDiTe.exe
  • Sk8erBoi.exe
  • Sophos.exe
  • Transcripts.exe
  • TrickerTape.exe
  • Two-Up-Secretly.exe
NOTE: The worm is able to spoof the FROM: address.

Body of the message:

Restricted area response team (RART)
___________________________________
Attachment you send to is intended to overwrite start address at 0000:HH4F
To prevent from the further buffer overflow attacks apply the MSO-patch.
___________________________________

or

Network Associates weekly report: Microsoft has identified a security vulnerability in MicrosoftIIS 4.0 and 5.0 that is eliminated by a previously-released patch. Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so to apply the patch immediately. Patch is also provided to subscribed list of Microsoft Tech Support:

or

AVRIL LAVIGNE - THE CHART ATTACK!
Vote fo4r Complicated!
Vote fo4r Sk8er Boi!
Vote fo4r I'm with you!
Chart attack active list:

or

AVRIL LAVIGNE - THE BEST Avril Lavigne's popularity increases:
SO: First, Vote on TRL for I'm With U!
Next, Update your pics database!
Chart attack active list.
Orginal Message:

NOTE: The email body may contain a IFRAME exploit which causes the attachment to be executed without user interaction on unpatched systems.
These messages are detected as "Exploit-MIME.gen" since 4172 DATs (Nov 2001)
Further details about this Exploit are available at: http://vil.nai.com/vil/content/v_99273.htm


ICQ spreading:

The worm tries to send itself to all contacts found in the ICQ userlist. The file name is one of the names that is used as an email attachment. (see above)

mIRC spreading:

The worm tries to send itself to IRC users who join the same channel as the infected mIRC user. After the IRC client connects to the network, it automatically joins the channel #avrillavigne.

Termination of security software:

It attempts to terminate processes in memory with the following process names:
  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • ACKWIN32.EXE
  • ANTI-TROJAN.EXE
  • APVXDWIN.EXE
  • AUTODOWN.EXE
  • AVCONSOL.EXE
  • AVE32.EXE
  • AVGCTRL.EXE
  • AVKSERV.EXE
  • AVP.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPDOS32.EXE
  • AVPM.EXE
  • AVPMON.EXE
  • AVPNT.EXE
  • AVPTC32.EXE
  • AVPUPD.EXE
  • AVSCHED32.EXE
  • AVWIN95.EXE
  • AVWUPD32.EXE
  • BLACKD.EXE
  • BLACKICE.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFIND.EXE
  • CLAW95.EXE
  • CLAW95CT.EXE
  • CLEANER.EXE
  • CLEANER3.EXE
  • DV95.EXE
  • DV95_O.EXE
  • DVP95.EXE
  • ECENGINE.EXE
  • EFINET32.EXE
  • ESAFE.EXE
  • ESPWATCH.EXE
  • F-AGNT95.EXE
  • FINDVIRU.EXE
  • FPROT.EXE
  • F-PROT.EXE
  • F-PROT95.EXE
  • FP-WIN.EXE
  • FRW.EXE
  • F-STOPW.EXE
  • IAMAPP.EXE
  • IAMSERV.EXE
  • IBMASN.EXE
  • IBMAVSP.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMOON.EXE
  • ICSSUPPNT.EXE
  • ICSUPP95.EXE
  • IFACE.EXE
  • IOMON98.EXE
  • JED.EXE
  • KPF.EXE
  • KPFW32.EXE
  • LOCKDOWN2000.EXE
  • LOOKOUT.EXE
  • LUALL.EXE
  • MOOLIVE.EXE
  • MPFTRAY.EXE
  • N32SCAN.EXE
  • NAVAPW32.EXE
  • NAVLU32.EXE
  • NAVNT.EXE
  • NAVSCHED.EXE
  • NAVW.EXE
  • NAVW32.EXE
  • NAVWNT.EXE
  • NISUM.EXE
  • NMAIN.EXE
  • NORMIST.EXE
  • NUPGRADE.EXE
  • NVC95.EXE
  • OUTPOST.EXE
  • PADMIN.EXE
  • PAVCL.EXE
  • PCCWIN98.EXE
  • PCFWALLICON.EXE
  • PERSFW.EXE
  • RAV7.EXE
  • RAV7WIN.EXE
  • RESCUE.EXE
  • SAFEWEB.EXE
  • SCAN32.EXE
  • SCAN95.EXE
  • SCANPM.EXE
  • SCRSCAN.EXE
  • SERV95.EXE
  • SMC.EXE
  • SPHINX.EXE
  • SWEEP95.EXE
  • TBSCAN.EXE
  • TCA.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • VET95.EXE
  • VETTRAY.EXE
  • VSECOMR.EXE
  • VSHWIN32.EXE
  • VSSCAN40.EXE
  • VSSTAT.EXE
  • WEBSCAN.EXE
  • WEBSCANX.EXE
  • WFINDV32.EXE
  • ZONEALARM.EXE

The worm monitors the title bar of all windows and closes them if they contain one of the following strings:

  • anti
  • Anti
  • AVP
  • McAfee
  • Norton
  • virus
  • Virus

Changes made to the system:

The worm copies itself into %WINDIR%\SYSTEM32 using a randomly generated name. (Example: A33AAAAgbab.EXE)

A key is added to the Registry in order to execute the worm during systemboot:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "Avril Lavigne - Muse" = C:\WINDOWS\SYSTEM\A33AAAAgbab.EXE
Another key is created and used as a marker that the system is infected:
  • HKEY_LOCAL_MACHINE\Software\OvG\Avril Lavigne
It also copy itself using one of the filenames mentions in email propagation above to:
C:\
%WINDIR%\TEMP

The worm places also four copies of itself using random names into the RECYCLED folder and adds a call to the AUTOEXEC.BAT
Example: @win \RECYCLED\FF177Fe6.exe

A file called "avril-ii.inf" is dropped into %WINDIR%\TEMP as well, it is a none-executable textfile and contains a message from the author.
Another file called "download.sys" is written to the same folder and used to download the backdoor trojan.


Payload:

The worm tries to receive the cached passwords from the infected host and send an email by using its own SMTP engine via an open SMTP server (62.118.249.10) to the author.
The backdoor trojan was removed from the webserver at the moment of this writing.

Symptoms

Symptoms -

After the worm has been executed, it checks the date and opens the default browser on the 7th, 11th and 24th of each month to display the webpage of Avril Lavigne (http://www.avril-lavigne.com). At the left top of the desktop a text displayed saying:

AVRIL_LAVIGNE_LET_GO-MY_MUSE:) 2002 (c) [name of the author]



The worm draws colored geometric figures on the screen which are always "on top" of the desktop.

Further symptoms:

  • Presence of Registry keys mentioned above.
  • Presence of files mentioned above.
  • Email propagation
  • IRC propagation
  • ICQ propagation
  • Network traffic to the SMTP server (62.118.249.10 Port 25 TCP)

Method of Infection

Method of Infection -

The worm arrives via email, is sent to IRC or ICQ users, and may propagate via KaZaa. The default SMTP server is retrieved from the registry via the Internet Account Manager or the OMI Account Manager settings. That SMTP server is then used by the virus during its mass-mailing routine.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A