|The worm looks for processes in memory from the following list and terminates them.
It copies it self in two copies to the temporary directory with a random.name and a “.exe” and “.tft” endings. Then it copies another copy to the windows
system directory again with a random name.
The worm also drops a file called avril-ii.inf into the temporary directory and puts the following text in it:
2002 (c) Otto von Gutenberg
Made in .::]|KaZAkHstaN|[::.
As stated before purpose is only educational, however...
I'm back to the scene with one more gift |Avril-II|
(remember 'A' version of Avril-II)
HINT:NB: NEVER ACCEPT GIFTS FROM THE STRANGER
Avril-II is commonly dangerous because of its over-trojaned issues
~Greetz to Brigada Ocho (http://vx.netlux.org/~b8),
and Weisses Fleisch Project (http://wf.h1.ru)
~Greetz to Rocco (http://primatelost.net)
Many thankx to my muse Avril Lavigne whose beauty causes work to flow rapidly
New features included: ICQ/IrC/ShaReD (urgently persuade to check it instantly)
BackOrifice-server dropper included
P.S.> How is my work?
Cheerz, Otto (www.otto-koden.h1.ru)
It adds this value "Avril Lavigne – Muse" to the registry key
so that each time you start the computer it runs the virus.
The worm sends email to all the email addresses it finds from the windows address book and it also uses email addresses it collects from files with theses endings:
The subject of Lirva.D when it arrives in your mailbox is chosen from the following list:
Fw: Redirection error notification
Re: Brigada Ocho Free membership
Re: According to Purge's Statement
Fw: Avril Lavigne - CHART ATTACK!
Re: Reply on account for IIS-Security Breach (TFTP)
Re: ACTR/ACCELS Transcriptions
Re: IREX admits you to take in FSAU 2003
Fwd: Re: Have U requested Avril Lavigne bio?
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header
Re: Vote seniors masters - don't miss it!
Fwd: RFC-0245 Specification requested.
Fwd: RFC-0841 Specification requested.
Fw: F. M. Dostoyevsky "Crime and Punishment"
Re: Junior Achievement
Re: Ha perduto qualque cosa signora?
The body of the infected email is chosen from these paragraphs:
Network Associates weekly report:
Microsoft has identified a security vulnerability in Microsoft IIS 4.0 and 5.0
that is eliminated by a previously-released patch.
Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so to apply the patch immediately.
Patch is also provided to subscribed list of Microsoft Tech Support
AVRIL LAVIGNE – THE CHART ATTACK
Vote fo4r Complicated!
Vote fo4r Sk8er Boi!
Vote fo4r I’m with you!
Chart attack active list
Restricted area response team (RART)
Attachment you sent to %s is intended to overwrite start address at 0000:HH4F
To prevent from the further buffer overflow attacks apply the MSO-patch
AVRIL LAVIGNE – THE BEST
The name of the attached file is chosen from the following texts:
Avril Lavigne’s popularity increases:
First, Vote on TRL for I’m with U!
Next, update you pics database!
Chart attack active list
It copies it self to the root directory and the recycled directory of all network shares.
It copies it self to the kazaa download folder with a random name.
If it finds ICQMAPI.DLL the worm sends it self to everybody in your icq contact list.
It drops a file into the mIRC directory so that everytime you log on to irc you will connect to the channel #avrillavigne and when others join any channel you are on it will send it self to