Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Lirva.A

W32/Avril-A, WORM_LIRVA.A, I-Worm/Naith

Win32/Lirva.A is a worm spreading as a file attachment of email messages via IRC, ICQ and network drives.  It is written in Visual C++ and compressed by UPX.  The size of the packed file is 32 768 bytes.  When unpacked its size is more than 160 kilobytes.

Win32/Lirva.A utilizes an incorrect MIME Header vulnerability in Microsoft Internet Explorer 5.01 and Microsoft Internet Explorer 5.5 allowing the executable file to run automatically without the user double-clicking on the attachment.  The vulnerability description and related corrective action are available at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-020.asp.

The worm Win32/Lirva.A arrives with a message with one of the following subjects:

Fw: Prohibited customers...
Re: Brigade Ocho Free membership
Re: According to Daos Summit
Fw: Avril Lavigne - the best
Re: Reply on account for IIS-Security
Re: ACTR/ACCELS Transcriptions
Re: The real estate plunger
Fwd: Re: Admission procedure
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header

The text in the message body is variable and it contains some of following sentences:

Patch is also provided to subscribed list of Microsoft® Tech Support
to apply the patch immediately.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so
and do not need to take additional action.
Customers who have applied that patch are already protected against the vulnerability
that is eliminated by a previously-released patch.
Microsoft has identified a security vulnerability in Microsoft® IIS 4.0 and 5.0
To prevent from the further buffer overflow attacks apply the MSO-patch
Attachment you sent to %s is intended to overwrite start address at 0000:HH4F%s
Restricted area response team (RART)
Admission form attached below
Vote for I'm with you!
FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony
Avril fans subscription

There is an attachment in this message 32768 bytesin size which has one of the following names:

Resume.exe
Download.exe
MSO-Patch-0071.exe
MSO-Patch-0035.exe
Two-Up-Secretly.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe
AvrilLavigne.exe
Complicated.exe
Singles.exe
Sophos.exe
Cogito_Ergo_Sum.exe
CERT-Vuln-Info.exe
Sk8erBoi.exe
IAmWiThYoU.exe

After running the file in attachment the worm is activated.  Win32/Lirva.A deactivates all processes with names matching the strings in following list: KPF.EXE, KPFW32.EXE, AVPM.EXE, AUTODOWN.EXE, \ AVKSERV.EXE, AVPUPD.EXE, BLACKD.EXE, CFIND.EXE, CLEANER.EXE, ECENGINE.EXE, F-PROT.EXE, FP-WIN.EXE, IAMSERV.EXE, ICLOADNT.EXE, IFACE.EXE, LOOKOUT.EXE, N32SCAN.EXE, NAVW32.EXE, NORMIST.EXE, PADMIN.EXE, PCCWIN98.EXE, RAV7WIN.EXE, SCAN95.EXE, SMC.EXE, TCA.EXE, VETTRAY.EXE, VSSTAT.EXE, ACKWIN32.EXE, AVCONSOL.EXE, AVPNT.EXE, AVPDOS32.EXE, AVSCHED32.EXE, BLACKICE.EXE, EFINET32.EXE, CLEANER3.EXE, ESAFE.EXE, F-PROT95.EXE, FPROT.EXE, IBMASN.EXE, ICMOON.EXE, IOMON98.EXE, LUALL.EXE, NAVAPW32.EXE, NAVWNT.EXE, NUPGRADE.EXE, PAVCL.EXE, PCFWALLICON.EXE, RESCUE.EXE, SCANPM.EXE, SPHINX.EXE, TDS2-98.EXE, VSSCAN40.EXE, WEBSCANX.EXE, WEBSCAN.EXE, ANTI-TROJAN.EXE, AVE32.EXE, AVP.EXE, AVPM.EXE, AVWIN95.EXE, CFIADMIN.EXE, CLAW95.EXE, DVP95.EXE, ESPWATCH.EXE, F-STOPW.EXE, FRW.EXE, IBMAVSP.EXE, ICSUPP95.EXE, JED.EXE, MOOLIVE.EXE, NAVLU32.EXE, NISUM.EXE, NVC95.EXE, NAVSCHED.EXE, PERSFW.EXE, SAFEWEB.EXE, SCRSCAN.EXE, SWEEP95.EXE, TDS2-NT.EXE, VSECOMR.EXE, WFINDV32.EXE, AVPCC.EXE, _AVPCC.EXE, APVXDWIN.EXE, AVGCTRL.EXE, _AVP32.EXE, AVPTC32.EXE, AVWUPD32.EXE, CFIAUDIT.EXE, CLAW95CT.EXE, DV95_O.EXE, DV95.EXE, F-AGNT95.EXE, FINDVIRU.EXE, IAMAPP.EXE, ICLOAD95.EXE, ICSSUPPNT.EXE, LOCKDOWN2000.EXE, MPFTRAY.EXE, NAVNT.EXE, NMAIN.EXE, OUTPOST.EXE, NAVW.EXE, RAV7.EXE, SCAN32.EXE, SERV95.EXE, TBSCAN.EXE, VET95.EXE, VSHWIN32.EXE, ZONEALARM.EXE, AVPMON.EXE, AVP32.EXE.  It terminates also processes having windows with names matching strings virus, anti, McAfee, Virus, Anti, AVP or Norton.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation.

Then the worm Win32/Lirva.A is copied into directories C:\Recycled\ a %windir%/System under random names having always the extension .exe.  The worm is also copied into directory %windir%/Temp under random name with the extension .TFT.  Here it creates files avril-ii.inf and Complicated.exe.  In the root directory of the C: drive it creates file named AvrilSmile.exe.

The file avril-ii.inf contains text as follows:

2002 (c) Otto von Gutenberg
Made in .::]|KaZAkHstaN|[::.
As stated before, purpose is only educational, however...

I'm back to the scene with one more gift |Avril-II| (remember 'A' version of Avril-II)
HINT:NB: NEVER ACCEPT GIFTS FROM THE STRANGER
Avril-II is commonly dangerous because of its over-trojaned issues
Greetz to Brigada Ocho (http://vx.netlux.org/~b8), Darkside Project (http://darkside.dtn.ru)
and Weisses Fleisch Project (http://wf.h1.ru)
Many thankx to my muse Avril Lavigne whose beauty causes work to flow rapidly
New features included: ICQ/IrC/ShaReD (urgently persuade to check it instantly)
BackOrifice-server dropper will be included next time

Cheerz, Otto (www.otto-koden.h1.ru)

The worm assures its activation creating item Avril Lavigne - Muse in the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.  It sets its value to one of the created copies of the worm.  It creates also different items in the new key named HKEY_LOCAL_MACHINE\Software\OvG\Avril Lavigne.

The worm acquires the email addresses for its spreading from files with extensions IDX, NCH, SHTML, TBB, HTM, EML, HTML, WAB, MBX and DBX.

Win32/Lirva.A is spreading via IRC mIRC client modifying the file script.ini.  The modification makes the client to offer the worm for download for any user that joins the current channel.  As far as the network drives are concerned the worm modifies the file autoexec.bat on available remote drive running the copy of the worm created in the directory Recycled on the given drive.

If it is 7th, 11th or 24th day of the month, the worm will open an Internet browser displaying the information available at www.avril-lavigne.com.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.