| The worm looks for processes in memory from the following list and terminates them.
KPF.EXE
KPFW32.EXE
AVPM.EXE
AUTODOWN.EXE
AVKSERV.EXE
AVPUPD.EXE
BLACKD.EXE
CFIND.EXE
CLEANER.EXE
ECENGINE.EXE
F-PROT.EXE
FP-WIN.EXE
IAMSERV.EXE
ICLOADNT.EXE
IFACE.EXE
LOOKOUT.EXE
N32SCAN.EXE
NAVW32.EXE
NORMIST.EXE
PADMIN.EXE
PCCWIN98.EXE
RAV7WIN.EXE
SCAN95.EXE
SMC.EXE
TCA.EXE
VETTRAY.EXE
VSSTAT.EXE
ACKWIN32.EXE
AVCONSOL.EXE
AVPNT.EXE
AVPDOS32.EXE
AVSCHED32.EXE
BLACKICE.EXE
EFINET32.EXE
CLEANER3.EXE
ESAFE.EXE
F-PROT95.EXE
FPROT.EXE
IBMASN.EXE
ICMOON.EXE
IOMON98.EXE
LUALL.EXE
NAVAPW32.EXE
NAVWNT.EXE
NUPGRADE.EXE
PAVCL.EXE
PCFWALLICON.EXE
RESCUE.EXE
SCANPM.EXE
SPHINX.EXE
TDS2-98.EXE
VSSCAN40.EXE
WEBSCANX.EXE
WEBSCAN.EXE
ANTI-TROJAN.EXE
AVE32.EXE
AVP.EXE
AVPM.EXE
AVWIN95.EXE
CFIADMIN.EXE
CLAW95.EXE
DVP95.EXE
ESPWATCH.EXE
F-STOPW.EXE
FRW.EXE
IBMAVSP.EXE
ICSUPP95.EXE
JED.EXE
MOOLIVE.EXE
NAVLU32.EXE
NISUM.EXE
NVC95.EXE
NAVSCHED.EXE
PERSFW.EXE
SAFEWEB.EXE
SCRSCAN.EXE
SWEEP95.EXE
TDS2NT.EXE
VSECOMR.EXE
WFINDV32.EXE
AVPCC.EXE
AVPCC.EXE
APVXDWIN.EXE
AVGCTRL.EXE
AVP32.EXE
AVPTC32.EXE
AVWUPD32.EXE
CFIAUDIT.EXE
CLAW95CT.EXE
DV95_O.EXE
DV95.EXE
F-AGNT95.EXE
FINDVIRU.EXE
IAMAPP.EXE
ICLOAD95.EXE
ICSSUPPNT.EXE
LOCKDOWN2000.EXE
MPFTRAY.EXE
NAVNT.EXE
NMAIN.EXE
OUTPOST.EXE
NAVW.EXE
RAV7.EXE
SCAN32.EXE
SERV95.EXE
TBSCAN.EXE
VET95.EXE
VSHWIN32.EXE
ZONEALARM.EXE
VPMON.EXE
AVP32.EXE
It copies it self in two copies to the temporary directory with a random.name and a “.exe” and “.tft” endings. Then it copies another copy to the windows
system directory again with a random name.
The worm also drops a file called avril-ii.inf into the temporary directory and puts the following text in it:
2002 (c) Otto von Gutenberg
Made in .::]|KaZAkHstaN|[::.
As stated before purpose is only educational, however...
I'm back to the scene with one more gift |Avril-II|
(remember 'A' version of Avril-II)
HINT:NB: NEVER ACCEPT GIFTS FROM THE STRANGER
Avril-II is commonly dangerous because of its over-trojaned issues
~Greetz to Brigada Ocho (http://vx.netlux.org/~b8),
Darkside Project(http://darkside.dtn.ru)
and Weisses Fleisch Project (http://wf.h1.ru)
~Greetz to Rocco (http://primatelost.net)
Many thankx to my muse Avril Lavigne whose beauty causes work to flow rapidly
New features included: ICQ/IrC/ShaReD (urgently persuade to check it instantly)
BackOrifice-server dropper included
P.S.> How is my work?
Cheerz, Otto (www.otto-koden.h1.ru)
It adds this value "Avril Lavigne – Muse" to the registry key
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
so that each time you start the computer it runs the virus.
The worm sends email to all the email addresses it finds from the windows address book and it also uses email addresses it collects from files with theses endings:
.IDX
.NCH
.SHTML
.TBB
.HTM
.EML
.HTML
.WAB
.MBX
.DBX.
The subject of Lirva.D when it arrives in your mailbox is chosen from the following list:
Fw: Redirection error notification
Re: Brigada Ocho Free membership
Re: According to Purge's Statement
Fw: Avril Lavigne - CHART ATTACK!
Re: Reply on account for IIS-Security Breach (TFTP)
Re: ACTR/ACCELS Transcriptions
Re: IREX admits you to take in FSAU 2003
Fwd: Re: Have U requested Avril Lavigne bio?
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header
Re: Vote seniors masters - don't miss it!
Fwd: RFC-0245 Specification requested.
Fwd: RFC-0841 Specification requested.
Fw: F. M. Dostoyevsky "Crime and Punishment"
Re: Junior Achievement
Re: Ha perduto qualque cosa signora?
The body of the infected email is chosen from these paragraphs:
Network Associates weekly report:
Microsoft has identified a security vulnerability in Microsoft IIS 4.0 and 5.0
that is eliminated by a previously-released patch.
Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so to apply the patch immediately.
Patch is also provided to subscribed list of Microsoft Tech Support
AVRIL LAVIGNE – THE CHART ATTACK
Vote fo4r Complicated!
Vote fo4r Sk8er Boi!
Vote fo4r I’m with you!
Chart attack active list
Restricted area response team (RART)
Attachment you sent to %s is intended to overwrite start address at 0000:HH4F
To prevent from the further buffer overflow attacks apply the MSO-patch
AVRIL LAVIGNE – THE BEST
Avril Lavigne’s popularity increases:
First, Vote on TRL for I’m with U!
Next, update you pics database!
Chart attack active list
The name of the attached file is chosen from the following texts:
Resume.exe
ADialer.exe
MSO-Patch-0071.exe
MSO-Patch-0035.exe
Two-Up-Secretly.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe
AvrilLavigne.exe
Complicated.exe
TrickerTape.exe
Sophos.exe
Cogito_Ergo_Sum.exe
CERT-Vuln-Info.exe
Sk8erBoi.exe
IAmWiThYoU.exe
Phantom.exe
EntradoDePer.exe
SiamoDiTe.exe
BioData.exe
ALavigne.exe.
It copies it self to the root directory and the recycled directory of all network shares.
It copies it self to the kazaa download folder with a random name.
If it finds ICQMAPI.DLL the worm sends it self to everybody in your icq contact list.
It drops a file into the mIRC directory so that everytime you log on to irc you will connect to the channel #avrillavigne and when others join any channel you are on it will send it self to
them.
| 